[oss-security] [OSSA-2026-019] Ironic: File Extraction from conductor via pxe_template (CVE-2026-44917)

Wed, 03 Jun 2026 09:56:39 -0700 

=====================================================================
OSSA-2026-019: File Extraction from Ironic conductor via pxe_template
=====================================================================

:Date: June 03, 2026
:CVE: CVE-2026-44917


Affects
~~~~~~~
- Ironic: >=17.0.0 <26.1.7, >=27.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2 


Description
~~~~~~~~~~~
Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology) from the Metal3.io Security Team reported a vulnerability in Ironic's boot interfaces. A project owner or manager with access to modify ``node.driver_info[pxe_template]`` can set it to ``/etc/ironic/ironic.conf`` or any other sensitive file readable by the conductor process. Ironic will then place this "template file" into a TFTP or HTTP server for netbooting, where it can be fetched by anything with network access to the conductor. 
Ironic intends on completely removing this feature in a future release.



Patches
~~~~~~~
- https://review.opendev.org/c/openstack/ironic/+/991389 (2023.1/antelope (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/991385 (2024.1/caracal (unmaintained)) 
- https://review.opendev.org/c/openstack/ironic/+/991382 (2025.1/epoxy)
- https://review.opendev.org/c/openstack/ironic/+/991379 (2025.2/flamingo)
- https://review.opendev.org/c/openstack/ironic/+/991376 (2026.1/gazpacho)
- https://review.opendev.org/c/openstack/ironic/+/991367 (2026.2/hibiscus (development)) 
- https://review.opendev.org/c/openstack/ironic/+/991373 (Bugfix/33.0)
- https://review.opendev.org/c/openstack/ironic/+/991370 (Bugfix/34.0)


Credits
~~~~~~~
- Dmitry Tantsur from Red Hat
- Tuomo Tanskanen from Ericsson Software Technology


References
~~~~~~~~~~
- https://bugs.launchpad.net/ironic/+bug/2148319
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44917


Notes
~~~~~
- Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained.
  Patches are provided as a courtesy. Releases 2023.2 (bobcat) and
  2024.2 (dalmation) are end of life and have not had patches provided.
  See https://releases.openstack.org for more information on supported
  releases.
- Ironic bugfix branch patches will be available in git for interested
  operators. We will not perform an additional release from these
  branches.

Attachment: OpenPGP_0x6B75D939B424C6D4.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to