OpenStack Ironic
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in OpenStack Ironic.
By the Year
In 2026 there have been 4 vulnerabilities in OpenStack Ironic with an average score of 5.4 out of ten.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 4 | 5.40 |
It may take a day or so for new Ironic vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent OpenStack Ironic Security Vulnerabilities
OpenStack Ironic Infinite Loop via file:///dev/zero URL
CVE-2026-44919
4.3 - Medium
- May 14, 2026
In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
Incorrect Behavior Order
OpenStack Ironic ks_template unsandboxed rendering
CVE-2026-44916
3 - Low
- May 08, 2026
In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.
1336
OpenStack Ironic idrac Remote Credential Exposure <=35.0.1
CVE-2026-42997
7.7 - High
- May 05, 2026
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
Incorrect Resource Transfer Between Spheres
OpenStack Ironic <=25.0.0 IPMI Tool Execution via Console Interface
CVE-2026-42510
6.6 - Medium
- April 28, 2026
OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.
Inclusion of Functionality from Untrusted Control Sphere
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for OpenStack Ironic or by OpenStack? Click the Watch button to subscribe.
