Detection Guidance

This vulnerability can be detected by inspecting the OpenStack RC files generated by Horizon for the presence of unescaped shell metacharacters in project names, such as $() or backticks, which could lead to command injection when sourced.

You can manually check the contents of the downloaded RC files for suspicious characters or commands by using commands like:

• cat <rc-file> | grep -E '\$\(|`'
• less <rc-file> and visually inspect for shell metacharacters in project name variables

Additionally, monitoring network traffic for RC file downloads and analyzing the contents before sourcing can help detect exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in OpenStack Horizon allows an attacker with project creation privileges to execute arbitrary shell commands when a user sources a maliciously crafted RC file. This could lead to unauthorized code execution and potential compromise of user environments.

Such unauthorized code execution risks violating security requirements in common standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and secure handling of user credentials and environments.

Therefore, if exploited, this vulnerability could undermine compliance by exposing systems to unauthorized access or data breaches, which are critical concerns under these regulations.

Mitigation involves upgrading to patched versions of Horizon or using alternative authentication methods, which helps maintain compliance by reducing the risk of exploitation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with project creation privileges to execute arbitrary shell commands on the system of any user who downloads and sources the malicious RC file.

Such command injection can lead to unauthorized code execution, potentially compromising confidentiality, integrity, and availability of the affected system.

Users who source these RC files without inspecting them are at risk, and the impact depends on the privileges of the user running the shell commands.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading OpenStack Horizon to a fixed version where the vulnerability is patched (versions 25.7.4 and later or backported stable releases).

Until an upgrade is possible, users should carefully inspect any downloaded RC files for malicious content before sourcing them.

As a workaround, users can avoid sourcing RC files and instead use the clouds.yaml configuration file for CLI authentication.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-55748 is a security vulnerability in OpenStack Horizon where the system generates shell scripts for downloading OpenStack RC files that include project names without properly escaping shell metacharacters.

An attacker with project creation privileges can craft a malicious project name containing shell commands (such as $() or backticks) that get executed when a user sources the generated RC file.

This happens because Horizon places project names inside double quotes in the shell script, allowing shell interpretation of embedded commands.

The vulnerability has been addressed by implementing proper shell escaping for special characters while maintaining compatibility with project names containing ASCII apostrophes.

Useful 0 Not Useful 0