CVE-2026-44917
Path Traversal in OpenStack Ironic
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | ironic | to 35.0.2 (exc) |
| openstack | ironic | From 17.0.0 (inc) to 26.1.7 (inc) |
| openstack | ironic | From 27.0.0 (inc) to 29.0.6 (inc) |
| openstack | ironic | From 30.0.0 (inc) to 32.0.2 (inc) |
| openstack | ironic | From 33.0.0 (inc) to 35.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44917 is a vulnerability in OpenStack Ironic that allows a malicious authenticated project admin or manager to read local files on the Ironic conductor by exploiting the pxe_template feature.
The issue occurs because Ironic uses the pxe_template path without proper validation, enabling users with permission to update driver_info to set this path to sensitive files such as /etc/ironic/ironic.conf.
When Ironic processes this path using jinja2's FileSystemLoader, it reads the file contents and exposes them in boot configurations served via unauthenticated TFTP or HTTP servers.
This attack requires only path traversal and no special conditions, affecting any file readable by the ironic-conductor process user.
The vulnerability affects deployments where project owners or system members can override driver_info, and the risk varies depending on deployment topology.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive local files on the Ironic conductor node.
An attacker with project admin or manager privileges can extract arbitrary files by setting the pxe_template path to sensitive files, which are then exposed via network services like TFTP or HTTP.
This exposure can compromise confidentiality of configuration files or other sensitive data accessible by the ironic-conductor process.
The impact depends on the deployment environment; multi-tenant environments where node owners can modify driver_info are particularly at risk, while standalone deployments may face higher risk due to weaker role-based access controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if any project admin or manager has set the `driver_info[pxe_template]` parameter to point to sensitive local files on the Ironic conductor.
You can inspect the Ironic node driver_info settings for suspicious or unexpected file paths, especially those involving path traversal or sensitive files like `/etc/ironic/ironic.conf`.
Since the vulnerability involves exposure of files via TFTP or HTTP servers used by Ironic for netbooting, monitoring network traffic for unauthorized TFTP or HTTP requests to retrieve boot configuration files may also help detect exploitation attempts.
- Use OpenStack CLI or API commands to list and inspect node driver_info parameters, for example:
- openstack baremetal node show <node_id> --long
- Look specifically for the `driver_info` field and check if `pxe_template` is set to any unusual or sensitive file paths.
- Monitor network traffic for TFTP or HTTP GET requests to boot configuration files that might expose sensitive data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting permissions so that only trusted users can modify the `driver_info[pxe_template]` parameter.
Apply patches provided by the OpenStack Ironic team that validate the `pxe_template` path against an allowlist of permitted directories or remove the feature entirely.
If patching is not immediately possible, consider disabling or restricting the use of the `pxe_template` feature to prevent arbitrary file reads.
Review and tighten Role-Based Access Control (RBAC) policies to limit who can update `driver_info` fields.
Monitor network services (TFTP/HTTP) for unauthorized access attempts to boot configuration files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated project admins or managers to read arbitrary local files on the Ironic conductor, potentially exposing sensitive configuration files via network services like TFTP or HTTP.
Such unauthorized exposure of sensitive files could lead to violations of data protection regulations and standards such as GDPR or HIPAA, which require strict controls over access to sensitive information and personal data.
Because the vulnerability enables unauthorized disclosure of potentially sensitive information, affected organizations may face compliance risks if exploited, especially in multi-tenant environments where access controls are weaker.