Executive Summary

CVE-2026-34881 is a Server-Side Request Forgery (SSRF) vulnerability in OpenStack Glance's image import functionality, specifically affecting the web-download and glance-download import methods, as well as the optional ovf_process plugin.

The vulnerability arises because the URL validation function only checks the initial URL submitted by an authenticated user, but does not re-validate URLs when HTTP redirects occur. This allows an attacker to supply a URL that passes validation but redirects to internal services, bypassing security checks.

Additionally, the blacklist used to block disallowed hosts does not normalize IP addresses, allowing attackers to bypass it by encoding IP addresses in alternative formats such as decimal, hexadecimal, or octal.

As a result, an authenticated user can exploit this flaw to make the server request internal resources, potentially exfiltrating sensitive data from internal services.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-34881 is a Server-Side Request Forgery (SSRF) vulnerability in OpenStack Glance's image import functionality that allows authenticated users to bypass URL validation and access internal services, potentially leading to data exfiltration.

This vulnerability could impact compliance with common standards and regulations such as GDPR and HIPAA because it enables unauthorized access to internal services and sensitive data, including cloud metadata services and internal APIs. Such unauthorized data exposure or exfiltration may violate data protection requirements and confidentiality obligations mandated by these regulations.

Specifically, the confirmed exfiltration of internal Keystone API data and Glance API data demonstrates a risk of unauthorized disclosure of sensitive information, which could lead to non-compliance with confidentiality and data protection principles required by standards like GDPR and HIPAA.

Mitigations such as validating all redirect URLs and normalizing IP addresses before blacklist checks are recommended to prevent exploitation and help maintain compliance by protecting internal data from unauthorized access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated attacker to bypass URL validation and access internal services that are normally protected from external access.

The attacker can exploit HTTP redirect behavior and IP address encoding bypasses to make the server fetch data from internal endpoints such as Keystone API, Glance API, cloud metadata services (AWS/GCP/Azure IMDS), RabbitMQ, databases, and monitoring endpoints.

This can lead to unauthorized internal service discovery, port scanning, and exfiltration of sensitive internal data, compromising confidentiality.

The CVSS 3.1 base score is 5.0 with a confidentiality impact classified as low to medium, requiring authentication but with low attack complexity.

Useful 0 Not Useful 0

Detection Guidance

Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized HTTP redirect activities during image import operations in OpenStack Glance, especially those involving the web-download and glance-download import methods.

Since the vulnerability allows an authenticated user to submit URLs that redirect to internal services, network detection can focus on identifying HTTP requests that follow redirects to internal IP addresses or unusual ports.

Suggested detection approaches include:

• Monitoring OpenStack Glance logs for image import requests using web-download or glance-download methods.
• Inspecting HTTP traffic for redirect chains originating from image import URLs that lead to internal IP addresses.
• Using network monitoring tools or IDS/IPS to detect outbound HTTP requests from the Glance service to internal IP ranges triggered by image import.

Specific commands are not provided in the resources, but administrators can use tools like tcpdump or Wireshark to capture traffic on the Glance host, filtering for HTTP 3xx redirect responses and subsequent requests to internal IPs.

Additionally, reviewing Glance configuration and logs for enabled import methods and suspicious image import URIs can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps for CVE-2026-34881 focus on preventing exploitation of the SSRF vulnerability in OpenStack Glance's image import functionality.

• Disable the vulnerable web-download import method by removing it from the `enabled_import_methods` configuration in `glance-api.conf`. For example, set: `enabled_import_methods = glance-direct, glance-download, copy-image` to exclude web-download.
• Apply patches that implement a `SafeRedirectHandler` to validate every HTTP redirect destination URL during image import, preventing bypass via redirects.
• Enhance URL validation by normalizing IP addresses before blacklist checks to prevent bypass via encoded IP formats (decimal, hexadecimal, octal).
• Consider disabling HTTP redirects entirely in the image import process as a temporary restrictive measure if patching is not immediately possible.

These mitigations reduce the risk of SSRF exploitation by ensuring that all URLs and redirects are properly validated and that vulnerable import methods are disabled until fixes are applied.

Useful 0 Not Useful 0