CRITICAL🇵🇱 Wersja polska

CVE-2026-41283

CVSS 9.9v3.1pub. 2026-06-04upd. 2026-06-30

OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.

🤖 AI Analysis
How it works

The OpenStack Mistral service exposes API endpoints that do not sufficiently restrict code execution (CWE-863 – improper authorization). An authenticated user with basic privileges (PR:L) can send a specially crafted request to such endpoints, causing arbitrary code execution on the server side. The vulnerability does not require user interaction on the victim side and has a scope extending beyond the vulnerable component (S:C), indicating the possibility of affecting other OpenStack infrastructure resources.

Impact

An attacker can gain full control over the server (high impact on confidentiality, integrity, and availability), as well as exfiltrate OpenStack service credentials, which may enable further lateral movement in the cloud infrastructure.

Mitigation & patch

Apply patches available from the vendor according to the references (OSSA-2026-020 published by OpenStack Security). Until the fix is implemented, it is recommended to restrict network access to the Mistral API only to trusted hosts using a firewall or network rules.

Who is affected

OpenStack Mistral in all versions up to and including 22.0.0, when the service API is exposed to network access.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References