CVE-2026-50589
Modified Modified - Updated After Analysis

OpenStack Ironic API JSON-RPC Service Crash

Vulnerability report for CVE-2026-50589, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-05

Last updated on: 2026-07-15

Assigner: MITRE

Description

In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-05
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-06-05
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openstack ironic From 32.0.0 (inc) to 37.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in OpenStack Ironic allows unauthenticated attackers to cause a denial of service by crashing the service through crafted JSON payloads. This results in service unavailability but does not involve unauthorized access to or modification of data.

Since the vulnerability does not lead to data breaches, data integrity loss, or unauthorized data disclosure, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal and sensitive data.

However, the denial of service could indirectly affect compliance by disrupting availability requirements mandated by some standards, as service downtime might impact business continuity and availability commitments.

Organizations should consider implementing mitigations and defense-in-depth measures to maintain service availability and thus support compliance with availability-related requirements.

Executive Summary

CVE-2026-50589 is a Denial of Service (DoS) vulnerability in OpenStack Ironic versions 32 through 35.0.1. It allows an unauthenticated attacker to send a specially crafted JSON payload to certain API or JSON-RPC endpoints, such as the /v1/continue_inspection endpoint, causing the Ironic service to crash with a segmentation fault (SIGSEGV).

The root cause is a lack of content-length validation during JSON parsing combined with Ironic's default stack size being smaller than Python's recursion limit. This mismatch leads to stack overflows when processing deeply nested JSON, resulting in a crash. The crash leaves minimal forensic evidence, making it hard to trace the attacker.

Impact Analysis

This vulnerability can cause the OpenStack Ironic service to crash unexpectedly, resulting in a Denial of Service (DoS). An attacker does not need to be authenticated to exploit this issue, which means service availability can be disrupted by maliciously crafted JSON requests.

Because the crash leaves minimal forensic traces, it can be difficult to detect or attribute the attack, potentially allowing attackers to repeatedly disrupt service without easy identification.

Detection Guidance

This vulnerability causes the OpenStack Ironic service to crash with a segmentation fault (SIGSEGV) when it receives a maliciously crafted JSON payload at certain endpoints, such as `/v1/continue_inspection`.

Detection is difficult because the crash leaves minimal forensic traces. However, reverse proxy logs (e.g., from Apache or nginx) may provide clues by showing unusual or malformed JSON requests targeting Ironic's JSON parsing endpoints.

There are no specific commands provided to detect the vulnerability directly, but monitoring for service crashes and analyzing reverse proxy logs for suspicious JSON payloads sent to Ironic API endpoints can help identify potential exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include implementing early request validation to check the JSON payload's depth and length before full parsing to prevent stack overflows.

Adjusting the stack size configuration of the Ironic service to better handle recursion limits can reduce the risk of crashes.

Upgrading to Python 3.14 is recommended, as it includes improved stack overflow detection that can help mitigate this issue.

Additionally, applying defense-in-depth measures such as middleware-based request sanitization and enforcing strict request body size limits at reverse proxies (Apache, nginx) can help prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50589. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart