CVE-2026-46447

5.8MEDIUM

Key Information:

Vendor

Openstack
Status
Ironic
Vendor
CVE Published:
3 June 2026

What is CVE-2026-46447?

OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.

Affected Version(s)

Ironic 17.0.0 < 26.1.7

Ironic 27.0.0 < 29.0.6

Ironic 30.0.0 < 32.0.2

References

https://bugs.launchpad.net/ironic/+bug/2150624
https://security.openstack.org/ossa/OSSA-2026-017.html

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.