CVE-2026-44917

Published: Jun 4, 2026Modified: Jun 4, 2026

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: MITRE (Secondary)

Description

OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.

Affected (4)

Products: Openstack: Ironic

Openstack

1 product

Ironic

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Openstack Ironic	From 17.0.0 to 26.1.7
Openstack Ironic	From 27.0.0 to 29.0.6
Openstack Ironic	From 30.0.0 to 32.0.2
Openstack Ironic	From 33.0.0 to 35.0.2

Related CWEs

CWE-669

Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

References (3)

https://bugs.launchpad.net/ironic/+bug/2148319

Source: cve@mitre.org

Issue Tracking

https://www.openwall.com/lists/oss-security/2026/06/03/13

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2026/06/03/13

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.