Boot Script Injection Vulnerability in OpenStack Ironic
CVE-2026-46447

5.8MEDIUM

Key Information:

Vendor: Openstack
Status: Ironic
Vendor: CVE Published:; 3 June 2026

What is CVE-2026-46447?

A vulnerability in OpenStack Ironic prior to version 35.0.2 allows an attacker to perform Boot Script Injection by manipulating node.driver_info or node.instance_info. This security flaw enables the execution of arbitrary iPXE scripts, potentially compromising the system's integrity and security if exploited. It is crucial for users to update their OpenStack Ironic installations to mitigate this risk effectively.

Affected Version(s)

Ironic 17.0.0 < 26.1.7

Ironic 27.0.0 < 29.0.6

Ironic 30.0.0 < 32.0.2

References

https://bugs.launchpad.net/ironic/+bug/2150624

https://security.openstack.org/ossa/OSSA-2026-017.html

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46447 Data

JSON

Openstack

What is CVE-2026-46447?

Affected Version(s)

References

CVSS V3.1

Timeline