[oss-security] [OSSA-2026-012] Ironic: Remote Code Execution when Anaconda driver enabled (CVE-2026-44916)

Mon, 11 May 2026 09:04:38 -0700 

=====================================================================================
OSSA-2026-012: Remote Code Execution in Ironic conductor when Anaconda driver enabled 
=====================================================================================

:Date: May 11, 2026
:CVE: CVE-2026-44916


Affects
~~~~~~~
- Ironic: >=17.0.0 <26.1.7, >=27.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2 


Description
~~~~~~~~~~~
Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology) from the Metal3.io Security Team reported a vulnerability in Ironic's anaconda deploy interface. Users who can set ``node.instance_info['ks_template']`` can achieve remove code execution on the ironic-conductor process, as the template is rendered without sandboxing. In the default configuration, Ironic is not vulnerable to this issue. However, operators who have enabled the anaconda deploy interface by adding it to ``[conductor]/enabled_deploy_interfaces`` and have untrusted users with access to modify ``node.instance_info`` are at risk. 



Patches
~~~~~~~
- https://review.opendev.org/c/openstack/ironic/+/987778 (2023.1/antelope (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/987777 (2024.1/caracal (unmaintained)) 
- https://review.opendev.org/c/openstack/ironic/+/987776 (2025.1/epoxy)
- https://review.opendev.org/c/openstack/ironic/+/987775 (2025.2/flamingo)
- https://review.opendev.org/c/openstack/ironic/+/987774 (2026.1/gazpacho)
- https://review.opendev.org/c/openstack/ironic/+/987922 (Bugfix/31.0)
- https://review.opendev.org/c/openstack/ironic/+/987921 (Bugfix/33.0)
- https://review.opendev.org/c/openstack/ironic/+/987920 (Bugfix/34.0)


Credits
~~~~~~~
- Dmitry Tantsur from Red Hat
- Tuomo Tanskanen from Ericsson Software Technology


References
~~~~~~~~~~
- https://bugs.launchpad.net/ironic/+bug/2148307
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44916


Notes
~~~~~
- Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained.
  Patches are provided as a courtesy. Releases 2023.2 (bobcat) and
  2024.2 (dalmation) are end of life and have not had patches provided.
  See https://releases.openstack.org for more information on supported
  releases.
- Ironic bugfix branch patches will be available in git for interested
  operators. We will not perform an additional release from these
  branches.

Reply via email to