CVE-2026-42997
Modified Modified - Updated After Analysis

iDRAC Credential Exposure in OpenStack Ironic

Vulnerability report for CVE-2026-42997, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-05

Last updated on: 2026-06-30

Assigner: MITRE

Description

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-05
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-05-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
openstack ironic From 27.0.0 (inc) to 29.0.5 (exc)
openstack ironic From 30.0.0 (inc) to 32.0.1 (exc)
openstack ironic From 33.0.0 (inc) to 35.0.1 (exc)
openstack ironic From 17.0.0 (inc) to 26.1.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42997 is a vulnerability in the OpenStack Ironic service's idrac configuration mold import feature. It allows authenticated users who have permissions to execute clean or deploy steps to forward sensitive credentials to arbitrary remote endpoints during the import process.

The credentials forwarded include a time-limited Keystone token, which grants access to all OpenStack services that Ironic is authorized for, or basic credentials configured for molds storage. The attacker can control the URL where the authorization request is sent, and this URL is not validated by Ironic, enabling potential credential leakage.

This issue affects multiple versions of OpenStack Ironic before the fixed versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. The molds feature itself was deprecated in release 2024.1 and removed in 2026.2.

Compliance Impact

This vulnerability allows an authenticated user to forward sensitive credentials, including time-limited Keystone tokens that provide access to all OpenStack services authorized for Ironic, to arbitrary remote endpoints. Such unauthorized credential forwarding can lead to unauthorized access to sensitive data and systems.

Because the vulnerability involves potential exposure and misuse of credentials, it could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized disclosure.

However, the provided information does not explicitly mention specific compliance impacts or regulatory considerations.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credentials, specifically Keystone tokens or basic credentials used by OpenStack Ironic.

An attacker who exploits this vulnerability can gain access to all OpenStack services that Ironic is authorized for, potentially allowing them to perform unauthorized actions within the cloud environment.

Since the attacker controls the endpoint receiving the credentials, they can capture and misuse these credentials, leading to potential compromise of the cloud infrastructure and data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenStack Ironic to one of the fixed versions: 26.1.6, 29.0.5, 32.0.1, or 35.0.1.

Additionally, note that the molds feature, which is the root cause of this vulnerability, was deprecated in the 2024.1 (Caracal) release and removed in the 2026.2 (Hibiscus) release. Disabling or removing the molds feature if possible can also help mitigate the risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart