Executive Summary

CVE-2026-42510 is a command injection vulnerability in OpenStack Ironic's IPMI console implementation. It occurs because console commands are constructed from untrusted input (such as IPMI address data) without proper shell escaping before being passed to the shellinaboxd service via socat. This improper handling allows a user with elevated permissions to inject arbitrary shell commands, potentially leading to execution of unintended commands on the conductor host.

The vulnerability requires the attacker to have the baremetal:node:update:driver_info permission, which is typically held by system members or node owners. The issue arises from concatenating command arguments into a single string without proper quoting, enabling injection of shell metacharacters.

The vulnerability affects OpenStack Ironic versions through 25.0.0 and is related to the IPMI console type, which is not enabled by default. The problem was fixed by applying proper shell quoting to the commands passed to socat.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker with elevated permissions to execute arbitrary commands on the conductor host running OpenStack Ironic. This can lead to a full compromise of the conductor host, impacting confidentiality, integrity, and availability of the system.

Since the attack requires elevated privileges, the risk is limited to trusted users or node owners who have write access to driver_info. However, in multi-tenant environments, node owners should not have such capabilities, so exploitation could violate expected access controls.

The vulnerability has a CVSS v3.1 base score of 6.6, indicating a medium to high severity impact, with high impact on confidentiality, integrity, and availability.

Operators can mitigate the risk by disabling the console interfaces or applying the provided fixes that properly escape shell commands.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the OpenStack Ironic deployment uses the IPMI console type with the console interface enabled, as the vulnerability arises from command injection in this configuration.

Since the vulnerability is related to the construction and execution of console commands using untrusted driver_info data (such as ipmi_address), one approach is to audit the driver_info fields for suspicious shell metacharacters or injection patterns.

Additionally, monitoring or logging commands executed by the ironic-conductor process, especially those involving ipmitool or socat with EXEC arguments, may help detect exploitation attempts.

No specific detection commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patches that implement proper shell quoting (using shlex.quote()) to the console commands passed to socat's EXEC argument.

If patching is not immediately possible, operators can disable the console interfaces entirely, as they are not enabled by default in OpenStack Ironic.

Operators are also advised to avoid using IPMI and instead use Redfish, which is considered more secure.

Limiting elevated permissions such as baremetal:node:update:driver_info to trusted users only can reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-42510 is a command injection vulnerability in OpenStack Ironic's IPMI console implementation that allows arbitrary command execution with elevated permissions. This could potentially lead to unauthorized access or control over the conductor host, which may impact the confidentiality, integrity, and availability of data managed by the system.

However, exploitation requires elevated permissions (system member or node owner) and the use of a non-default console interface, which limits the attack surface. Operators are advised to disable the vulnerable console interfaces or use more secure alternatives like Redfish.

While the vulnerability poses a risk to system security, the provided information does not explicitly address its direct impact on compliance with specific standards or regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0