CVE-2026-42997
iDRAC Credential Exposure in OpenStack Ironic
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | ironic | 26.1.6 |
| openstack | ironic | 29.0.5 |
| openstack | ironic | 32.0.1 |
| openstack | ironic | 35.0.1 |
| openstack | ironic | to 26.1.6 (exc) |
| openstack | ironic | to 29.0.5 (exc) |
| openstack | ironic | to 32.0.1 (exc) |
| openstack | ironic | to 35.0.1 (exc) |
| openstack | ironic | From 17.0.0 (inc) to 26.1.6 (exc) |
| openstack | ironic | From 27.0.0 (inc) to 29.0.5 (exc) |
| openstack | ironic | From 30.0.0 (inc) to 32.0.1 (exc) |
| openstack | ironic | From 33.0.0 (inc) to 35.0.1 (exc) |
| openstack | ironic | From 2023.1 (inc) to 2024.1 (exc) |
| openstack | ironic | From 2024.2 (inc) to 2026.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive credentials, specifically Keystone tokens or basic credentials used by OpenStack Ironic.
An attacker who exploits this vulnerability can gain access to all OpenStack services that Ironic is authorized for, potentially allowing them to perform unauthorized actions within the cloud environment.
Since the attacker controls the endpoint receiving the credentials, they can capture and misuse these credentials, leading to potential compromise of the cloud infrastructure and data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenStack Ironic to one of the fixed versions: 26.1.6, 29.0.5, 32.0.1, or 35.0.1.
Additionally, note that the molds feature, which is the root cause of this vulnerability, was deprecated in the 2024.1 (Caracal) release and removed in the 2026.2 (Hibiscus) release. Disabling or removing the molds feature if possible can also help mitigate the risk.
Can you explain this vulnerability to me?
CVE-2026-42997 is a vulnerability in the OpenStack Ironic service's idrac configuration mold import feature. It allows authenticated users who have permissions to execute clean or deploy steps to forward sensitive credentials to arbitrary remote endpoints during the import process.
The credentials forwarded include a time-limited Keystone token, which grants access to all OpenStack services that Ironic is authorized for, or basic credentials configured for molds storage. The attacker can control the URL where the authorization request is sent, and this URL is not validated by Ironic, enabling potential credential leakage.
This issue affects multiple versions of OpenStack Ironic before the fixed versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. The molds feature itself was deprecated in release 2024.1 and removed in 2026.2.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to forward sensitive credentials, including time-limited Keystone tokens that provide access to all OpenStack services authorized for Ironic, to arbitrary remote endpoints. Such unauthorized credential forwarding can lead to unauthorized access to sensitive data and systems.
Because the vulnerability involves potential exposure and misuse of credentials, it could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized disclosure.
However, the provided information does not explicitly mention specific compliance impacts or regulatory considerations.