Source: mistral Version: 20.0.0-2 Severity: serious Tags: patch security X-Debbugs-Cc: Debian Security Team <[email protected]>
Mistral is affected by CVE-2026-41283 Copying content of: https://security.openstack.org/ossa/OSSA-2026-020.html Date: June 03, 2026 CVE: CVE-2026-41283 Affects: Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0 Note from package maintainer: All versions from Bullseye to Trixie Description: Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that several Mistral API endpoints do not enforce access policies, allowing any authenticated user to create public resources and upload arbitrary code that executes on Mistral executor workers. An attacker could extract sensitive data including service credentials from the worker. Deployments exposing the Mistral API are affected. Patches: https://review.opendev.org/991416 (2025.1/epoxy) https://review.opendev.org/991417 (2025.1/epoxy) https://review.opendev.org/991418 (2025.1/epoxy) https://review.opendev.org/991419 (2025.1/epoxy) https://review.opendev.org/991420 (2025.1/epoxy) https://review.opendev.org/991421 (2025.1/epoxy) https://review.opendev.org/991422 (2025.1/epoxy) https://review.opendev.org/991423 (2025.1/epoxy) https://review.opendev.org/991408 (2025.2/flamingo) https://review.opendev.org/991409 (2025.2/flamingo) https://review.opendev.org/991410 (2025.2/flamingo) https://review.opendev.org/991411 (2025.2/flamingo) https://review.opendev.org/991412 (2025.2/flamingo) https://review.opendev.org/991413 (2025.2/flamingo) https://review.opendev.org/991414 (2025.2/flamingo) https://review.opendev.org/991415 (2025.2/flamingo) https://review.opendev.org/991400 (2026.1/gazpacho) https://review.opendev.org/991401 (2026.1/gazpacho) https://review.opendev.org/991402 (2026.1/gazpacho) https://review.opendev.org/991403 (2026.1/gazpacho) https://review.opendev.org/991404 (2026.1/gazpacho) https://review.opendev.org/991405 (2026.1/gazpacho) https://review.opendev.org/991406 (2026.1/gazpacho) https://review.opendev.org/991407 (2026.1/gazpacho) https://review.opendev.org/991392 (2026.2/hibiscus) https://review.opendev.org/991393 (2026.2/hibiscus) https://review.opendev.org/991394 (2026.2/hibiscus) https://review.opendev.org/991395 (2026.2/hibiscus) https://review.opendev.org/991396 (2026.2/hibiscus) https://review.opendev.org/991397 (2026.2/hibiscus) https://review.opendev.org/991398 (2026.2/hibiscus) https://review.opendev.org/991399 (2026.2/hibiscus) Credits: Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283) Arnaud Morin from OVHcloud (CVE-2026-41283) References: https://launchpad.net/bugs/2147178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41283
