CVE-2026-44917
Analyzed Analyzed - Analysis Complete
Path Traversal in OpenStack Ironic

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: MITRE

Description
OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-44917
EUVD
EUVD-2026-34202
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openstack ironic From 17.0.0 (inc) to 26.1.7 (exc)
openstack ironic From 27.0.0 (inc) to 29.0.6 (exc)
openstack ironic From 30.0.0 (inc) to 32.0.2 (exc)
openstack ironic From 33.0.0 (inc) to 35.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44917 is a vulnerability in OpenStack Ironic that allows a malicious authenticated project admin or manager to read local files on the Ironic conductor by exploiting the pxe_template feature.

The issue occurs because Ironic uses the pxe_template path without proper validation, enabling users with permission to update driver_info to set this path to sensitive files such as /etc/ironic/ironic.conf.

When Ironic processes this path using jinja2's FileSystemLoader, it reads the file contents and exposes them in boot configurations served via unauthenticated TFTP or HTTP servers.

This attack requires only path traversal and no special conditions, affecting any file readable by the ironic-conductor process user.

The vulnerability affects deployments where project owners or system members can override driver_info, and the risk varies depending on deployment topology.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive local files on the Ironic conductor node.

An attacker with project admin or manager privileges can extract arbitrary files by setting the pxe_template path to sensitive files, which are then exposed via network services like TFTP or HTTP.

This exposure can compromise confidentiality of configuration files or other sensitive data accessible by the ironic-conductor process.

The impact depends on the deployment environment; multi-tenant environments where node owners can modify driver_info are particularly at risk, while standalone deployments may face higher risk due to weaker role-based access controls.

Detection Guidance

This vulnerability can be detected by checking if any project admin or manager has set the `driver_info[pxe_template]` parameter to point to sensitive local files on the Ironic conductor.

You can inspect the Ironic node driver_info settings for suspicious or unexpected file paths, especially those involving path traversal or sensitive files like `/etc/ironic/ironic.conf`.

Since the vulnerability involves exposure of files via TFTP or HTTP servers used by Ironic for netbooting, monitoring network traffic for unauthorized TFTP or HTTP requests to retrieve boot configuration files may also help detect exploitation attempts.

  • Use OpenStack CLI or API commands to list and inspect node driver_info parameters, for example:
  • openstack baremetal node show <node_id> --long
  • Look specifically for the `driver_info` field and check if `pxe_template` is set to any unusual or sensitive file paths.
  • Monitor network traffic for TFTP or HTTP GET requests to boot configuration files that might expose sensitive data.
Mitigation Strategies

Immediate mitigation steps include restricting permissions so that only trusted users can modify the `driver_info[pxe_template]` parameter.

Apply patches provided by the OpenStack Ironic team that validate the `pxe_template` path against an allowlist of permitted directories or remove the feature entirely.

If patching is not immediately possible, consider disabling or restricting the use of the `pxe_template` feature to prevent arbitrary file reads.

Review and tighten Role-Based Access Control (RBAC) policies to limit who can update `driver_info` fields.

Monitor network services (TFTP/HTTP) for unauthorized access attempts to boot configuration files.

Compliance Impact

The vulnerability allows authenticated project admins or managers to read arbitrary local files on the Ironic conductor, potentially exposing sensitive configuration files via network services like TFTP or HTTP.

Such unauthorized exposure of sensitive files could lead to violations of data protection regulations and standards such as GDPR or HIPAA, which require strict controls over access to sensitive information and personal data.

Because the vulnerability enables unauthorized disclosure of potentially sensitive information, affected organizations may face compliance risks if exploited, especially in multi-tenant environments where access controls are weaker.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44917. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart