CVE-2026-44918
Received Received - Intake

OpenStack Ironic Unauthorized Node Modification

Vulnerability report for CVE-2026-44918, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: MITRE

Description

OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 12 associated CPEs
Vendor Product Version / Range
openstack ironic From 27.0.0 (inc) to 29.0.6 (exc)
openstack ironic From 30.0.0 (inc) to 32.0.2 (exc)
openstack ironic From 33.0.0 (inc) to 35.0.2 (exc)
openstack ironic From 36.0.0 (inc) to 37.0.1 (exc)
openstack ironic 2024.1
openstack ironic 2025.1
openstack ironic 2025.2
openstack ironic 2026.1
openstack ironic 2026.2
openstack ironic 33.0
openstack ironic 34.0
openstack ironic 37.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44918 is an insufficient access control vulnerability in OpenStack Ironic that allows an authenticated project manager to create or modify nodes across different projects without proper authorization.

Specifically, it enables manipulation of parent/child node relationships in Ironic's Role-Based Access Control (RBAC) system, allowing a project manager to reassign Volume Connectors or Volume Target objects to different projects or create new nodes using a parent node UUID from another project.

This can lead to unauthorized operations on parent nodes, such as forcing them to power on, and exposure of sensitive secrets in environments using boot-from-volume with iSCSI volumes.

The vulnerability is difficult to detect because reparented objects do not leave obvious traces, and it affects multiple versions of Ironic prior to 37.0.1.

Impact Analysis

This vulnerability can impact you by allowing unauthorized project managers to manipulate node relationships and access sensitive information.

  • Exposure of sensitive secrets contained in Volume Connectors or Volume Target objects, especially in environments using boot-from-volume with iSCSI volumes.
  • Unauthorized operations on parent nodes, such as forcing them to power on or preventing them from powering off, which can disrupt normal operations.
  • Potential operational disruptions caused by bypassing ownership restrictions, leading to security and management challenges.

Because these manipulations are hard to detect through normal inspection, the risk of unnoticed unauthorized access or control is increased.

Detection Guidance

This vulnerability is difficult to detect through normal inspection because reparented objects do not leave obvious traces in the data.

Operators are advised to audit node configurations, such as verifying the expected number of volume targets and connectors.

Ironic has introduced a new upgrade check command, `ironic-status upgrade check`, which can be used to detect misconfigured nodes affected by this vulnerability.

Mitigation Strategies

The primary mitigation step is to apply the patches released for multiple Ironic branches that fix this vulnerability.

  • Upgrade Ironic to version 37.0.1 or later, or to a patched version in your current branch.
  • Use the `ironic-status upgrade check` command to identify and remediate any misconfigured nodes.
  • Audit node configurations to ensure that parent and child nodes have matching owner values and verify the expected number of volume targets and connectors.

These patches also include hardening measures to prevent similar vulnerabilities in Port and Portgroup objects, providing consistent API-level errors for invalid data.

Compliance Impact

CVE-2026-44918 allows unauthorized cross-project creation or modification of nodes in OpenStack Ironic, which can lead to unauthorized access to sensitive data such as secrets in Volume Connectors when booting from iSCSI volumes.

This unauthorized access to sensitive information could potentially violate data protection requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

Operators are advised to audit node configurations and apply patches that enforce matching ownership between parent and child nodes to mitigate the risk of unauthorized data access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart