Critical Ironic Vulnerabilities Expose OpenStack Bare Metal to Path Traversal and Code Execution
Ubuntu security updates address three critical vulnerabilities in OpenStack Ironic that allow authenticated attackers to traverse file systems, inject malicious code, and access sensitive files. Organizations running Ironic conductors should apply patches immediately.
TL;DR
- Path traversal vulnerability (CVE-2026-48681) enables arbitrary file overwrite on Ironic conductors via crafted ISO images
- Kernel command line injection flaw (CVE-2026-46447) permits script injection during node boot, risking remote code execution
- Insufficient access controls on PXE templates (CVE-2026-44917) allow reading of sensitive conductor files by authenticated users
- All three vulnerabilities require privileged authenticated access but pose significant risk in multi-tenant OpenStack environments
- Ubuntu patch USN-8421-1 addresses all issues; immediate deployment recommended for production deployments
OpenStack Ironic, the bare metal provisioning service, contains three related vulnerabilities discovered by Dmitry Tantsur and Tuomo Tanskanen that collectively expose Ironic conductors to file system manipulation, code execution, and information disclosure. While exploitation requires authenticated access with elevated privileges, the attack surface remains significant in shared infrastructure environments.
The vulnerabilities span input validation failures across ISO image handling, kernel parameters, and template access controls. Each flaw independently compromises conductor security; combined, they represent a critical risk to bare metal infrastructure management. Ubuntu has released security notice USN-8421-1 to address all three issues.
Technical Vulnerability Details
- CVE-2026-48681: Insufficient path validation during ISO image processing allows attackers to traverse directories and overwrite arbitrary files on the conductor host
- CVE-2026-46447: Unvalidated kernel command line parameters enable injection of malicious scripts executed during node provisioning and boot sequences
- CVE-2026-44917: Overly permissive access controls on custom PXE templates permit authenticated users to read sensitive configuration and credential files
Risk Assessment and Mitigation
- Attack vector requires authenticated access with administrative or operator privileges, limiting exposure in properly segmented networks
- Bare metal environments often manage critical infrastructure; compromise could affect downstream workload integrity and availability
- Input validation and access control weaknesses suggest need for defense-in-depth: network segmentation, audit logging, and least-privilege role enforcement
- Organizations should prioritize patching Ironic deployments and review recent conductor logs for suspicious ISO uploads or parameter modifications
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.