Source: ironic
Severity: grave
Tags: patch
As per upstream announce at:
https://security.openstack.org/ossa/OSSA-2026-026.html
Date:
July 08, 2026
CVE:
CVE-2026-44918
Affects:
Ironic: >=27.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2, >=36.0.0
<37.0.1
Description:
Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology)
from the Metal3.io Security Team reported a vulnerability in Ironic’s access
control code.
This OSSA represents multiple related vulnerabilities in Ironic RBAC. An
authenticated project manager can change the node associated with Volume
Connectors or Volume Target objects, potentially changing the project
permitted to access the object. Volume Connectors contain secrets in
environments configuring boot from volume with iSCSI volumes. This is tracked
as bug #2150256.
Objects reparented in this manner cannot be detected via inspection of the
data. Operators who are concerned they may have had this occur are encouraged
to perform a basic audit of node configuration, for instance, insuring the
expected number of volume targets, and volume connectors are present.
Additionally, a project manager with the ability to create nodes can use the
UUID of a node not owned by their project as a parent node when creating a
new node. This mismatched child node can then be used to impact operations on
the parent, such as forcing it to power on. This is tracked as bug #2150450.
Ironic now specifically checks, and requires node parents and children to have
matching node.owner values. This patch contains an enhancement to Ironic’s
upgrade check to detect this mismatched state. Operators can use the provided
ironic-status upgrade check to identify misconfigured nodes.
Patches
https://review.opendev.org/c/openstack/ironic/+/996479 (2024.1/caracal
(unmaintained))
https://review.opendev.org/c/openstack/ironic/+/996478 (2025.1/epoxy)
https://review.opendev.org/c/openstack/ironic/+/996476 (2025.2/flamingo)
https://review.opendev.org/c/openstack/ironic/+/996469 (2026.1/gazpacho)
https://review.opendev.org/c/openstack/ironic/+/996462 (2026.2/hibiscus)
https://review.opendev.org/c/openstack/ironic/+/996474 (Bugfix/33.0)
https://review.opendev.org/c/openstack/ironic/+/996471 (Bugfix/34.0)
https://review.opendev.org/c/openstack/ironic/+/996464 (Bugfix/37.0)
Credits
Dmitry Tantsur from Red Hat
Tuomo Tanskanen from Ericsson Software Technology
References
https://bugs.launchpad.net/ironic/+bug/2150256
https://bugs.launchpad.net/ironic/+bug/2150450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44918
Notes
Volume Targets and Volume Connectors only contain sensitive information in
environments utilizing boot-from-volume with iSCSI volumes.
These patches also contain hardening logic to prevent this class of
vulnerability in Port and Portgroup objects. This is a defense in depth
measure to provide consistent errors at the API level for invalid data.
Branch 2024.1/caracal is unmaintained and patches are provided as a
courtesy.
Bugfix branches will recieve patches in git but will not recieve a updated
release.