Authorization Misconfiguration Vulnerability in OpenStack Ironic by Dell
CVE-2026-42997

7.7HIGH

Key Information:

Vendor: Openstack
Status: Ironic
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-42997?

A vulnerability exists in OpenStack Ironic prior to version 35.0.1 that allows a user to trigger authorization requests sent to remote endpoints during import processes. This issue involves the potential exposure of a time-limited Keystone token, granting access to all services authorized for OpenStack Ironic, or basic credentials for mold storage. Fixed versions include 26.1.6, 29.0.5, 32.0.1, and 35.0.1.

Affected Version(s)

Ironic 17.0.0 < 26.1.6

Ironic 27.0.0 < 29.0.5

Ironic 30.0.0 < 32.0.1

References

https://www.openwall.com/lists/oss-security/2026/05/05/10

https://security.openstack.org/ossa/OSSA-2026-010.html

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-42997 Data

JSON

Openstack

What is CVE-2026-42997?

Affected Version(s)

References

CVSS V3.1

Timeline