Openstack Ironic

10 CVEs affecting Openstack Ironic. Latest disclosed: 2026-06-05. Critical: 0, High: 1.

Top CVEs affecting Openstack Ironic
CVESeverityScorePublishedSummary
CVE-2026-42997High7.72026-05-05An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpo…
CVE-2026-42510Medium6.62026-04-28OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.
CVE-2015-7514Medium6.52017-06-07OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information.
CVE-2026-48681Medium5.92026-06-04OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.
CVE-2026-46447Medium5.82026-06-03OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
CVE-2026-50589Medium5.32026-06-05In OpenStack Ironic 32 through 35.0.1, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service an…
CVE-2026-44917Medium4.92026-06-04OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.
CVE-2026-44919Medium4.32026-05-14In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
CVE-2026-44916Low3.02026-05-08In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.
CVE-2025-44021Low2.82025-05-08OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious…