CVE-2026-48681
Directory Traversal in OpenStack Ironic via ISO Image
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | ironic | From 17.0.0 (inc) to 26.1.7 (exc) |
| openstack | ironic | From 27.0.0 (inc) to 29.0.6 (exc) |
| openstack | ironic | From 30.0.0 (inc) to 32.0.2 (exc) |
| openstack | ironic | From 33.0.0 (inc) to 35.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48681 is a path traversal vulnerability in OpenStack Ironic's ISO handling code that allows a maliciously crafted ISO image to overwrite files on a conductor's disk during deployment.
The vulnerability occurs because the ISO extraction process does not properly validate file paths, allowing an attacker to use directory traversal sequences (like "../") to write files outside the intended extraction directory.
This flaw affects multiple versions of Ironic and can be exploited by any user with access to deploy nodes using configdrive, virtual media-based boot interfaces, or the anaconda deploy interface.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with authenticated access to overwrite arbitrary files on the system where Ironic is running, potentially leading to privilege escalation or system compromise.
Because the attacker can write files outside the intended directory, they might modify critical system files or configuration, disrupting deployments or gaining unauthorized control.
The impact is limited to users who have deployment access, but within that scope, it can cause significant security and operational risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal during ISO extraction in OpenStack Ironic deployments. Detection involves identifying if your system is running a vulnerable version of Ironic and if malicious ISO images with path traversal sequences have been used.
Since the vulnerability exploits crafted ISO images containing path traversal sequences like '../', you can inspect ISO files used in deployments for suspicious filenames or directory names that include such sequences.
Commands to help detect potential exploitation or presence of malicious ISO files could include:
- Listing files inside ISO images to check for suspicious paths: use tools like 'isoinfo' or '7z' to list ISO contents, e.g., `isoinfo -i <iso_file> -l` or `7z l <iso_file>`.
- Searching for path traversal patterns in extracted files or deployment directories, e.g., `find /path/to/extracted -name "*..*"` or checking for unexpected files outside intended directories.
- Checking the version of OpenStack Ironic installed to confirm if it falls within the vulnerable ranges.
Monitoring logs of the ironic-conductor service for unusual file write operations or errors related to ISO extraction may also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade OpenStack Ironic to a patched version beyond 35.0.2 or the corresponding fixed releases for your version series.
- Avoid deploying using untrusted or unauthenticated ISO images, especially those obtained from unknown sources.
- Restrict access to the deployment interfaces that handle ISO images, such as configdrive, virtual media-based boot interfaces, and the anaconda deploy interface, to trusted users only.
- Apply any available patches provided by the OpenStack security team that validate extracted paths to prevent directory traversal.
These steps reduce the risk of exploitation by limiting the ability of attackers to use crafted ISO images to overwrite files on the conductor's disk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with access to deploy nodes to perform directory traversal and overwrite files on the conductor's disk during deployment. This could lead to unauthorized modification of system files or data, potentially compromising the confidentiality and integrity of sensitive information.
Such unauthorized file overwrites and potential system compromise could impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification.
However, exploitation requires authenticated access to the deployment environment, which limits the risk to systems where attackers already have some level of access.