April 2026 - OpenStack-announce - lists.openstack.org

[OSSA-2026-008] Ironic: Command Injection in Ironic IPMI Console Implementations (CVE-2026-42510) - errata 1
by Goutham Pacha Ravi 29 Apr '26

29 Apr '26

======================================================================= OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations ======================================================================= :Date: April 27, 2026 :CVE: CVE-2026-42510 Affects ~~~~~~~ - Ironic: >=4.3.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1 Description ~~~~~~~~~~~ Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team reported a vulnerability in Ironic's IPMI console backends. A project manager for the project marked as a ``node.owner`` can inject arbitrary commands which a conductor executes on console activation. No console backends are enabled by default in Ironic. Only installations which have set ``[conductor]/enabled_console_interfaces`` to enable either ``ipmitool-shellinabox`` or ``ipmitool-socat`` are vulnerable. Errata ~~~~~~ When the original advisory was published a CVE number was not assigned. CVE-2026-42510 was assigned on 2026-04-29. Patches ~~~~~~~ - https://review.opendev.org/c/openstack/ironic/+/986418 (2023.1/antelope (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/986417 (2024.1/caracal (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/986363 (2024.2/dalmatian) - https://review.opendev.org/c/openstack/ironic/+/986362 (2025.1/epoxy) - https://review.opendev.org/c/openstack/ironic/+/986361 (2025.2/flamingo) - https://review.opendev.org/c/openstack/ironic/+/986235 (2026.1/gazpacho) Credits ~~~~~~~ - Dmitry Tantsur from Metal3.io Security Team - Tuomo Tanskanen from Metal3.io Security Team References ~~~~~~~~~~ - https://launchpad.net/bugs/2148331 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42510 Notes ~~~~~ - A CVE request was filed with MITRE on 2026-04-27. - Patches for unmaintained branches are provided as a courtesy. - The ``ipmitool-shellinabox`` console interface is already scheduled for removal from Ironic for lack of security support for shellinabox. Security sensitive operators are strongly encouraged to stop use of this console interface immediately. OSSA History ~~~~~~~~~~~~ - 2026-04-29 - Errata 1 - 2026-04-27 - Original Version -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html

1 0

[OSSA-2026-008] Command Injection in Ironic IPMI Console Implementations
by Jay Faulkner 27 Apr '26

27 Apr '26

======================================================================= OSSA-2026-008: Command Injection in Ironic IPMI Console Implementations ======================================================================= :Date: April 27, 2026 :CVE: CVE-2026-pending Affects ~~~~~~~ - Ironic: >=4.3.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1 Description ~~~~~~~~~~~ Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team reported a vulnerability in Ironic's IPMI console backends. A project manager for the project marked as a ``node.owner`` can inject arbitrary commands which a conductor executes on console activation. No console backends are enabled by default in Ironic. Only installations which have set ``[conductor]/enabled_console_interfaces`` to enable either ``ipmitool-shellinabox`` or ``ipmitool-socat`` are vulnerable. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/ironic/+/986418 (2023.1/antelope (unmaintained)) -https://review.opendev.org/c/openstack/ironic/+/986417 (2024.1/caracal (unmaintained)) -https://review.opendev.org/c/openstack/ironic/+/986363 (2024.2/dalmatian) -https://review.opendev.org/c/openstack/ironic/+/986362 (2025.1/epoxy) -https://review.opendev.org/c/openstack/ironic/+/986361 (2025.2/flamingo) -https://review.opendev.org/c/openstack/ironic/+/986235 (2026.1/gazpacho) Credits ~~~~~~~ - Dmitry Tantsur from Metal3.io Security Team - Tuomo Tanskanen from Metal3.io Security Team References ~~~~~~~~~~ -https://launchpad.net/bugs/2148331 Notes ~~~~~ - A CVE request was filed with MITRE on 2026-04-27. - Patches for unmaintained branches are provided as a courtesy. - The ``ipmitool-shellinabox`` console interface is already scheduled for removal from Ironic for lack of security support for shellinabox. Security sensitive operators are strongly encouraged to stop use of this console interface immediately. Thanks, Jay Faulkner OpenStack Vulnerability Management Team Ironic Security Liason

1 0

OSSN-0095: OVN security group rules created before address group support may be ineffective
by Goutham Pacha Ravi 23 Apr '26

23 Apr '26

OSSN-0095: OVN security group rules created before address group support may be ineffective == Summary == In deployments using the OVN ML2 driver, security group rules referencing remote address groups that were created before OVN address group support was added do not enforce source address filtering. The resulting OVN ACLs allow traffic from any source to the destination port. == Affected Services / Software == * neutron (OVN ML2 driver): <25.2.3, >=26.0.0 <26.0.3, >=27.0.0 <27.0.2 == Discussion == Before OVN address group support was added, the Neutron API accepted address group references in security group rules without error, but the OVN driver silently ignored them. The resulting ACLs had no source address set, effectively allowing 0.0.0.0/0. After upgrading, new rules work correctly but pre-existing ones are not fixed. The neutron-ovn-db-sync-util repair mode also does not correct them. Deleting an affected rule via the API orphans the ACL in OVN, which continues to pass traffic. A fix has been merged that adds a maintenance task to automatically create missing address sets and update affected ACLs on service restart. == Recommended Actions == Upgrade to a version of neutron containing the fix ([https://review.opendev.org/c/openstack/neutron/+/976832 Gerrit 976832]) and restart the neutron services. The maintenance task will correct pre-existing rules automatically. Operators should verify that orphaned ACLs from previously deleted rules are removed. == Credits == James Denton, Rackspace == Contacts / References == o * Authors: Goutham Pacha Ravi, Red Hat * This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0095 * Original Launchpad bug: [https://launchpad.net/bugs/2141589 LP#2141589] * Mailing List: [security-sig] tag on openstack-discuss(a)lists.openstack.org * OpenStack Security: https://security.openstack.org/ * CVE: none

1 0

[OSSA-2026-007] OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean (CVE PENDING)
by Goutham Pacha Ravi 14 Apr '26

14 Apr '26

================================================================================== OSSA-2026-007: LDAP identity backend does not convert enabled attribute to boolean ================================================================================== :Date: April 14, 2026 :CVE: CVE-2026-pending Affects ~~~~~~~ - Keystone: >=8.0.0 <25.0.1, >=26.0.0 <26.1.1, >=27.0.0 <27.0.1, >=28.0.0 <28.0.1 Description ~~~~~~~~~~~ Benedikt Trefzer and Andrew Bogott independently reported a vulnerability in the Keystone LDAP identity backend. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. Patches ~~~~~~~ -https://review.opendev.org/982409 (2024.2/dalmatian) -https://review.opendev.org/982408 (2025.1/epoxy) -https://review.opendev.org/982407 (2025.2/flamingo) -https://review.opendev.org/958205 (2026.1/gazpacho) Credits ~~~~~~~ - Benedikt Trefzer from Cirrax GmbH (CVE-2026-pending) - Andrew Bogott from Wikimedia Foundation (CVE-2026-pending) - Grzegorz Grasza from Red Hat (CVE-2026-pending) References ~~~~~~~~~~ -https://launchpad.net/bugs/2121152 -https://launchpad.net/bugs/2141713 Notes ~~~~~ - To work around this vulnerability, set user_enabled_invert=True and use an LDAP attribute with inverted semantics such as nsAccountLock, or use user_enabled_emulation with group-based enabled status. - A CVE request was filed with MITRE on 2026-04-10. - The fix was merged on the master branch before the stable/2026.1 branch was cut, so no specific stable/2026.1 patch exists. The fix is included in the gazpacho (29.0.0) release. -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team

1 0

[OSSA-2026-006] OpenStack Skyline: DOM-based XSS in Skyline Console via unsanitized instance console log rendering (CVE-2026-pending)
by Goutham Pacha Ravi 09 Apr '26

09 Apr '26

============================================================================================== OSSA-2026-006: DOM-based XSS in Skyline Console via unsanitized instance console log rendering ============================================================================================== :Date: April 09, 2026 :CVE: CVE-2026-pending Affects ~~~~~~~ - Skyline-console: <5.0.1, ==6.0.0, ==7.0.0 Description ~~~~~~~~~~~ Myunghyun Lee (Team Open the Window, Stealien SSL 6th) reported a DOM-based Cross-Site Scripting (XSS) vulnerability in Skyline Console. The instance console log viewer rendered log content in a new browser window using document.write() without sanitizing or escaping the output. Deployments where administrators use the Skyline Console web interface to view instance console logs are affected. Patches ~~~~~~~ -https://review.opendev.org/982356 (2024.2/dalmatian) -https://review.opendev.org/982355 (2025.1/epoxy) -https://review.opendev.org/982350 (2025.2/flamingo) -https://review.opendev.org/973351 (2026.1/gazpacho) Credits ~~~~~~~ - Myunghyun Lee from Team Open the Window, Stealien SSL 6th (CVE-2026-pending) References ~~~~~~~~~~ -https://launchpad.net/bugs/2138575 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending Notes ~~~~~ - Until upgraded, operators should restrict or avoid use of "View Full Log" for instances where console output may be influenced by untrusted users. - A CVE request was filed with MITRE on 2026-03-25. - The fix was merged on the master branch before the stable/2026.1 branch was cut, so no specific stable/2026.1 patch exists. The fix is included in the gazpacho (8.0.0) release. -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team

1 0

[OSSA-2026-005] Keystone: Restricted application credentials can create EC2 credentials (CVE-2026-33551)
by Jeremy Stanley 07 Apr '26

07 Apr '26

============================================================================ OSSA-2026-005: Restricted application credentials can create EC2 credentials ============================================================================ :Date: April 07, 2026 :CVE: CVE-2026-33551 Affects ~~~~~~~ - Keystone: >=14.0.0 <26.1.1, ==27.0.0, ==28.0.0, ==29.0.0 Description ~~~~~~~~~~~ Maxence Bornecque from Orange Cyberdefense CERT Vulnerability Intelligence Watch Team reported a vulnerability in Keystone's EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. Patches ~~~~~~~ - https://review.opendev.org/983597 (2024.1/caracal) - https://review.opendev.org/983591 (2024.2/dalmatian) - https://review.opendev.org/983589 (2025.1/epoxy) - https://review.opendev.org/983588 (2025.2/flamingo) - https://review.opendev.org/983593 (2026.1/gazpacho) - https://review.opendev.org/983587 (2026.2/hibiscus) Credits ~~~~~~~ - Maxence Bornecque from Orange Cyberdefense CERT Vulnerability Intelligence Watch Team (CVE-2026-33551) References ~~~~~~~~~~ - https://launchpad.net/bugs/2142138 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33551 Notes ~~~~~ - The unmaintained/2024.1 branch is unmaintained and will receive no new point releases, but a patch for it is provided as a courtesy. -- Jeremy Stanley OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html

1 0

OpenStack 2026.1 "Gazpacho" is officially released!
by Elõd Illés 01 Apr '26

01 Apr '26

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack 2026.1 "Gazpacho", which conclude the 2026.1 "Gazpacho" development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/gazpacho/ Congratulations to all of the teams who have contributed to this release! There was an increase in the number of contributors and the number of changes merged this cycle, which is great to see. Our next production cycle, 2026.2 "Hibiscus", has already started. We will meet virtually at April 20-24, at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, Előd Illés on behalf of the Release Management team

1 0