CVE-2026-42997
Awaiting Analysis Awaiting Analysis - Queue
iDRAC Credential Exposure in OpenStack Ironic

Publication date: 2026-05-05

Last updated on: 2026-05-06

Assigner: MITRE

Description
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42997
EUVD
EUVD-2026-27428
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
openstack ironic 26.1.6
openstack ironic 29.0.5
openstack ironic 32.0.1
openstack ironic 35.0.1
openstack ironic to 26.1.6 (exc)
openstack ironic to 29.0.5 (exc)
openstack ironic to 32.0.1 (exc)
openstack ironic to 35.0.1 (exc)
openstack ironic From 17.0.0 (inc) to 26.1.6 (exc)
openstack ironic From 27.0.0 (inc) to 29.0.5 (exc)
openstack ironic From 30.0.0 (inc) to 32.0.1 (exc)
openstack ironic From 33.0.0 (inc) to 35.0.1 (exc)
openstack ironic From 2023.1 (inc) to 2024.1 (exc)
openstack ironic From 2024.2 (inc) to 2026.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42997 is a vulnerability in the OpenStack Ironic service's idrac configuration mold import feature. It allows authenticated users who have permissions to execute clean or deploy steps to forward sensitive credentials to arbitrary remote endpoints during the import process.

The credentials forwarded include a time-limited Keystone token, which grants access to all OpenStack services that Ironic is authorized for, or basic credentials configured for molds storage. The attacker can control the URL where the authorization request is sent, and this URL is not validated by Ironic, enabling potential credential leakage.

This issue affects multiple versions of OpenStack Ironic before the fixed versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. The molds feature itself was deprecated in release 2024.1 and removed in 2026.2.

Compliance Impact

This vulnerability allows an authenticated user to forward sensitive credentials, including time-limited Keystone tokens that provide access to all OpenStack services authorized for Ironic, to arbitrary remote endpoints. Such unauthorized credential forwarding can lead to unauthorized access to sensitive data and systems.

Because the vulnerability involves potential exposure and misuse of credentials, it could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized disclosure.

However, the provided information does not explicitly mention specific compliance impacts or regulatory considerations.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credentials, specifically Keystone tokens or basic credentials used by OpenStack Ironic.

An attacker who exploits this vulnerability can gain access to all OpenStack services that Ironic is authorized for, potentially allowing them to perform unauthorized actions within the cloud environment.

Since the attacker controls the endpoint receiving the credentials, they can capture and misuse these credentials, leading to potential compromise of the cloud infrastructure and data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenStack Ironic to one of the fixed versions: 26.1.6, 29.0.5, 32.0.1, or 35.0.1.

Additionally, note that the molds feature, which is the root cause of this vulnerability, was deprecated in the 2024.1 (Caracal) release and removed in the 2026.2 (Hibiscus) release. Disabling or removing the molds feature if possible can also help mitigate the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart