[oss-security] [OSSA-2026-020] OpenStack Mistral: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution (CVE-2026-41283)

Wed, 03 Jun 2026 09:58:43 -0700 

==========================================================================================================================
OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution 
==========================================================================================================================

:Date: June 03, 2026
:CVE: CVE-2026-41283


Affects
~~~~~~~
- Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0


Description
~~~~~~~~~~~
Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that several Mistral API endpoints do not enforce access policies, allowing any authenticated user to create public resources and upload arbitrary code that executes on Mistral executor workers. An attacker could extract sensitive data including service credentials from the worker. Deployments exposing the Mistral API are affected. 



Patches
~~~~~~~
- https://review.opendev.org/991416 (2025.1/epoxy)
- https://review.opendev.org/991417 (2025.1/epoxy)
- https://review.opendev.org/991418 (2025.1/epoxy)
- https://review.opendev.org/991419 (2025.1/epoxy)
- https://review.opendev.org/991420 (2025.1/epoxy)
- https://review.opendev.org/991421 (2025.1/epoxy)
- https://review.opendev.org/991422 (2025.1/epoxy)
- https://review.opendev.org/991423 (2025.1/epoxy)
- https://review.opendev.org/991408 (2025.2/flamingo)
- https://review.opendev.org/991409 (2025.2/flamingo)
- https://review.opendev.org/991410 (2025.2/flamingo)
- https://review.opendev.org/991411 (2025.2/flamingo)
- https://review.opendev.org/991412 (2025.2/flamingo)
- https://review.opendev.org/991413 (2025.2/flamingo)
- https://review.opendev.org/991414 (2025.2/flamingo)
- https://review.opendev.org/991415 (2025.2/flamingo)
- https://review.opendev.org/991400 (2026.1/gazpacho)
- https://review.opendev.org/991401 (2026.1/gazpacho)
- https://review.opendev.org/991402 (2026.1/gazpacho)
- https://review.opendev.org/991403 (2026.1/gazpacho)
- https://review.opendev.org/991404 (2026.1/gazpacho)
- https://review.opendev.org/991405 (2026.1/gazpacho)
- https://review.opendev.org/991406 (2026.1/gazpacho)
- https://review.opendev.org/991407 (2026.1/gazpacho)
- https://review.opendev.org/991392 (2026.2/hibiscus)
- https://review.opendev.org/991393 (2026.2/hibiscus)
- https://review.opendev.org/991394 (2026.2/hibiscus)
- https://review.opendev.org/991395 (2026.2/hibiscus)
- https://review.opendev.org/991396 (2026.2/hibiscus)
- https://review.opendev.org/991397 (2026.2/hibiscus)
- https://review.opendev.org/991398 (2026.2/hibiscus)
- https://review.opendev.org/991399 (2026.2/hibiscus)


Credits
~~~~~~~
- Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283)
- Arnaud Morin from OVHcloud (CVE-2026-41283)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2147178
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41283

--
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Attachment: OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to