CVE-2026-44916
OpenStack Ironic Instance Info Template Sandbox Escape
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | ironic | to 36.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44916 is a security vulnerability in OpenStack Ironic where the instance_info['ks_template'] parameter is rendered without proper sandboxing. This allows for Jinja2 template injection because the rendering function uses an unsandboxed jinja2.Environment. Authenticated users who can set the template URL to an HTTP location can exploit this to craft malicious templates.
This vulnerability can lead to remote code execution (RCE) on the Ironic conductor process, potentially exposing sensitive information such as BMC credentials, database connections, and node provisioning capabilities.
The issue specifically affects kickstart-based deployments (RHEL/CentOS) using the Anaconda deploy interface, which must be enabled in the configuration. The vulnerability arises from a lack of sandboxing in the template rendering process.
A fix involves replacing the unsandboxed jinja2.Environment with jinja2.sandbox.SandboxedEnvironment to prevent execution of malicious payloads without breaking existing templates.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute arbitrary code remotely on the Ironic conductor process.
Successful exploitation could expose sensitive information such as BMC credentials, database connections, and node provisioning capabilities, which could lead to further compromise of the infrastructure.
Although the affected Anaconda deploy interface is not widely used in production, if permissions are loosened or the feature is enabled, the vulnerability creates a significant security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the rendering of the instance_info['ks_template'] parameter without sandboxing in OpenStack Ironic, which can be exploited via Jinja2 template injection.
To detect this vulnerability on your system, you should check if your OpenStack Ironic deployment uses the Anaconda deploy interface with kickstart-based deployments (RHEL/CentOS) and if the vulnerable code path involving utils.render_template() with an unsandboxed jinja2.Environment is present.
There are no specific commands provided in the resources to detect exploitation attempts or presence of the vulnerability.
However, general detection steps could include reviewing configuration files for the Anaconda driver enablement, auditing logs for suspicious template rendering activities, and verifying the version of OpenStack Ironic to see if it is at or below version 35.x.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch that replaces the use of jinja2.Environment with jinja2.sandbox.SandboxedEnvironment in the utils.render_template() function.
This change prevents malicious payloads from executing arbitrary code while maintaining compatibility with existing templates.
Additionally, if you are using the Anaconda deploy interface with kickstart-based deployments, consider disabling or restricting its use until the patch is applied.
Review and tighten permissions to limit authenticated users' ability to set template URLs to HTTP locations, reducing the attack surface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users to execute remote code on the Ironic conductor process, potentially exposing sensitive information such as BMC credentials, database connections, and node provisioning capabilities.
Exposure of such sensitive data could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive information and secure system operations.
Although the vulnerability currently affects a less commonly used deployment driver and requires authenticated access, it creates a defense-in-depth gap that could be exploited if permissions are loosened, increasing the risk of data breaches and regulatory violations.