Home

Description

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-05 | Updated 2026-05-06 | Assigner mitre




HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-669 Incorrect Resource Transfer Between Spheres

Product status

Default status
unaffected

17.0.0 (semver) before 26.1.6
affected

27.0.0 (semver) before 29.0.5
affected

30.0.0 (semver) before 32.0.1
affected

33.0.0 (semver) before 35.0.1
affected

References

www.openwall.com/lists/oss-security/2026/05/05/10

www.openwall.com/lists/oss-security/2026/05/05/10

security.openstack.org/ossa/OSSA-2026-010.html

cve.org (CVE-2026-42997)

nvd.nist.gov (CVE-2026-42997)

Download JSON