IPMI Management Interface Vulnerability in OpenStack Ironic by OpenStack
CVE-2026-54423

8.2HIGH

Key Information:

Vendor

Openstack

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-54423?

In OpenStack Ironic, prior to version 37.0.1, a vulnerability exists where an Ironic user with permissions to deploy nodes using the IPMI management interface can exploit the send_raw command. This exploitation enables the user to inject arbitrary IPMI commands directly to a node, effectively bypassing the built-in access controls of Ironic. This can lead to unauthorized actions on the deployed hardware, posing significant security risks to the affected environments.

Affected Version(s)

Ironic 22.1.0 < 29.0.6

Ironic 30.0.0 < 32.0.2

Ironic 32.0.0 < 35.0.2

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.