CRITICAL🇵🇱 Wersja polska

CVE-2026-28370

CVSS 9.1v3.1pub. 2026-02-27upd. 2026-03-05

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Openstack Vitrage

    APP
    Openstack
    < 12.0113.0.0 – 13.0.1 (bez)14.0.0 – 14.0.1 (bez)15.0.0 – 15.0.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-28718CRITICAL9.8PL ✓ten sam vendor

RCE w OpenStack Magnum — podatność w komponencie cert_manager.py

CVE-2021-38598CRITICAL9.1ten sam vendor

OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the...

CVE-2020-26943CRITICAL9.9ten sam vendor

An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access...

CVE-2013-2166CRITICAL9.8ten sam vendor

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass

CVE-2013-2167CRITICAL9.8ten sam vendor

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass