CVE-2026-46447
Modified Modified - Updated After Analysis
Boot Script Injection in OpenStack Ironic

Publication date: 2026-06-03

Last updated on: 2026-06-15

Assigner: MITRE

Description
OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-15
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-22
NVD
CVE-2026-46447
EUVD
EUVD-2026-34181
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openstack ironic From 17.0.0 (inc) to 26.1.7 (exc)
openstack ironic From 27.0.0 (inc) to 29.0.6 (exc)
openstack ironic From 30.0.0 (inc) to 32.0.2 (exc)
openstack ironic From 33.0.0 (inc) to 35.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Boot Script Injection issue in OpenStack Ironic versions up to 35.0.x. It allows an attacker to inject malicious boot scripts during the provisioning process.

Impact Analysis

The vulnerability could allow an attacker to execute arbitrary code or commands during the boot process of a machine managed by OpenStack Ironic, potentially leading to unauthorized access, system compromise, or disruption of services.

Compliance Impact

The provided information does not explicitly address how CVE-2026-46447 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the injection of malicious iPXE scripts via crafted values in node.driver_info or node.instance_info fields in OpenStack Ironic. Detection involves monitoring and inspecting these fields for suspicious or unexpected kernel command line parameters, especially those containing control characters or newlines that could enable script injection.

Commands to detect this vulnerability could include querying the OpenStack Ironic database or API for nodes with unusual or suspicious entries in driver_info or instance_info, focusing on kernel_append_params or similar fields.

  • Use OpenStack CLI or API to list nodes and inspect driver_info and instance_info fields for suspicious kernel parameters.
  • Example command to list nodes with driver_info: `openstack baremetal node list` followed by `openstack baremetal node show <node_id>` to inspect details.
  • Search for control characters or newlines in kernel parameters, which might require scripting or manual inspection of the output.

Network detection could involve monitoring PXE/iPXE boot traffic for unexpected script downloads or unusual boot parameters, but specific commands for this are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include applying the patches provided for OpenStack Ironic versions affected by this vulnerability. These patches restrict the insertion of certain special characters in kernel command line overrides to prevent script injection.

If patching is not immediately possible, operators can set the configuration option `CONF.conductor.disable_kernel_parameter_parsing` to true. This disables kernel parameter parsing, blocking the most dangerous special characters but reduces overall security hardening.

  • Apply the official patches for OpenStack Ironic as soon as possible.
  • Set `CONF.conductor.disable_kernel_parameter_parsing = true` in the Ironic conductor configuration as a temporary workaround.
  • Restrict access to modify node.driver_info and node.instance_info fields to trusted users only.

Additionally, review and monitor kernel command line parameters in PXE/iPXE boot templates to ensure no malicious parameters are present.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart