CVE-2026-28370

Published: Feb 27, 2026Modified: Mar 5, 2026

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: MITRE (Secondary)

Description

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

Affected (4)

Products: Openstack: Vitrage

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Openstack Vitrage	Before 12.01
Openstack Vitrage	From 13.0.0 to 13.0.1
Openstack Vitrage	From 14.0.0 to 14.0.1
Openstack Vitrage	From 15.0.0 to 15.0.1

Related CWEs

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

References (3)

https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70

Source: cve@mitre.org

Issue Tracking

https://storyboard.openstack.org/#%21/story/2011539

Source: cve@mitre.org

ExploitIssue TrackingVendor Advisory

http://www.openwall.com/lists/oss-security/2026/03/03/6

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.