CVE-2026-41283
Arbitrary Remote Code Execution in OpenStack Mistral
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | mistral | From 20.0.0 (inc) to 20.1.1 (exc) |
| openstack | mistral | 21.0.0 |
| openstack | mistral | 22.0.0 |
| openstack | mistral | 2024.2-eol |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41283 is a vulnerability in OpenStack Mistral that allows arbitrary remote code execution when the API is exposed.
Specifically, certain endpoints permit authenticated users to bypass policy enforcement, create public resources, and upload arbitrary code that executes on Mistral executor workers.
This flaw enables attackers to run malicious code remotely and potentially extract sensitive information such as service credentials.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete compromise of the affected system.
- An attacker with authenticated access can execute arbitrary code remotely on Mistral executor workers.
- Sensitive data, including service credentials, can be exfiltrated by the attacker.
- The vulnerability has a high severity score (CVSS 9.9), indicating critical impact on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-41283, you should upgrade OpenStack Mistral to a patched version. Multiple patches have been released addressing this issue across different Mistral versions, including 2025.1/epoxy, 2025.2/flamingo, 2026.1/gazpacho, and 2026.2/hibiscus.
Avoid exposing the Mistral API publicly to reduce the risk of exploitation.
If you are using older or end-of-life releases such as 2024.2-eol, consider upgrading to a supported version to ensure you receive security updates.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenStack Mistral allows arbitrary remote code execution and exfiltration of service credentials, which can lead to unauthorized access to sensitive data.
Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper access controls.
Exfiltration of service credentials and execution of arbitrary code represent significant security failures that may result in violations of data protection requirements under these regulations.