OpenStack Ironic Vulnerability Allows Unsafe Template Rendering
CVE-2026-44916

3LOW

Key Information:

Vendor: Openstack
Status: Ironic
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-44916?

The vulnerability in OpenStack Ironic allows for the unsafe rendering of instance_info['ks_template'], exposing users to potential security risks as it is not properly sandboxed. This flaw enables attackers to exploit the lack of safeguards around template rendering, potentially leading to unauthorized access or manipulation of the system. It is crucial for users operating affected versions to review their deployments and apply necessary security measures to mitigate risks.

Affected Version(s)

Ironic 17.0.0 < 26.1.7

Ironic 27.0.0 < 29.0.6

Ironic 30.0.0 < 32.0.2

References

https://bugs.launchpad.net/ironic/+bug/2148307

https://security.openstack.org/ossa/OSSA-2026-012.html

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-44916 Data

JSON

Openstack

What is CVE-2026-44916?

Affected Version(s)

References

CVSS V3.1

Timeline