VYPR
advisoryPublished Jun 4, 2026· 1 source

OpenStack: Critical RCE and Multiple Ironic Flaws Disclosed Together

Key findings • Critical RCE vulnerability (CVE-2026-41283) in OpenStack Mistral through 22.0.0. • Three medium-severity vulnerabilities disclosed in OpenStack Ironic, patched in 35.0.2. •…

Key findings

  • Critical RCE vulnerability (CVE-2026-41283) in OpenStack Mistral through 22.0.0.
  • Three medium-severity vulnerabilities disclosed in OpenStack Ironic, patched in 35.0.2.
  • Ironic flaws include file overwrite, local file read, and boot script injection.
  • All four vulnerabilities were disclosed within a 6-hour window on June 3-4, 2026.
  • Mitigation requires updating Mistral to 22.0.1+ and Ironic to 35.0.2+.

OpenStack users are urged to update their deployments following the coordinated disclosure of four vulnerabilities affecting the cloud infrastructure platform. The batch, disclosed on June 3rd and 4th, 2026, includes a critical remote code execution flaw in the Mistral service and three medium-severity issues impacting the Ironic bare-metal provisioning service.

The most severe of these is CVE-2026-41283, a critical vulnerability in OpenStack Mistral through version 22.0.0. When the Mistral API is exposed, this flaw allows for arbitrary remote code execution, potentially leading to the exfiltration of service credentials. This vulnerability poses a significant risk to environments running unpatched versions of Mistral.

The OpenStack Ironic service, responsible for bare-metal provisioning, is affected by three distinct vulnerabilities, all patched in versions prior to 35.0.2. CVE-2026-48681, rated medium, allows for file overwrite via directory traversal when deploying with a crafted ISO image. Another medium-severity issue, CVE-2026-44917, permits an authenticated administrator to read local files on the Ironic conductor by manipulating the pxe_template.

Finally, CVE-2026-46447, also a medium-severity vulnerability, enables boot script injection. This occurs if an attacker can control the node's driver or instance information, allowing them to inject an iPXE script. These Ironic vulnerabilities, while not as critical as the Mistral RCE, could still be chained or exploited to gain unauthorized access or disrupt provisioning operations.

All disclosed vulnerabilities have been addressed by the OpenStack project. Users are strongly advised to update their Ironic deployments to version 35.0.2 or later and their Mistral deployments to version 22.0.1 or later to mitigate these risks. The coordinated disclosure of these vulnerabilities highlights the ongoing security efforts within the OpenStack community to identify and rectify potential weaknesses in its various services.

Synthesized by Vypr AI