Red Hat Openstack
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Openstack.
Recent Red Hat Openstack Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:28047 | (RHSA-2026:28047) Important: Red Hat OpenStack Platform 17.1 (etcd) security update | June 22, 2026 |
| RHSA-2026:28046 | (RHSA-2026:28046) Moderate: Red Hat OpenStack Platform 17.1 (golang-uber-multierr) security update | June 22, 2026 |
| RHSA-2026:28044 | (RHSA-2026:28044) Important: Red Hat OpenStack Platform 17.1 (openstack-keystone) security update | June 22, 2026 |
| RHSA-2026:28043 | (RHSA-2026:28043) Important: Red Hat OpenStack Platform 17.1 (python-urllib3) security update | June 22, 2026 |
| RHSA-2026:28042 | (RHSA-2026:28042) Important: Red Hat OpenStack Platform 17.1 (python-pyasn1) security update | June 22, 2026 |
| RHSA-2026:7884 | (RHSA-2026:7884) Important: Red Hat OpenStack Services on OpenShift 18.0.18 (openstack-nova) security update | April 29, 2026 |
| RHSA-2026:7885 | (RHSA-2026:7885) Moderate: Red Hat OpenStack Services on OpenShift 18.0.18 (golang-github-openstack-k8s-operators-os-diff) security update | April 29, 2026 |
| RHSA-2026:5394 | (RHSA-2026:5394) Red Hat OpenStack Platform 17.1 director Operator container images | March 23, 2026 |
| RHSA-2026:3122 | (RHSA-2026:3122) Red Hat OpenStack Platform 16.2 director Operator container images | February 23, 2026 |
| RHSA-2026:1958 | (RHSA-2026:1958) Important: Red Hat OpenStack Services on OpenShift 18.0 (openstack-keystone) security update | February 12, 2026 |
By the Year
In 2026 there have been 60 vulnerabilities in Red Hat Openstack with an average score of 7.8 out of ten. Last year, in 2025 Openstack had 3 security vulnerabilities published. That is, 57 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 2.56.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 60 | 7.80 |
| 2025 | 3 | 5.23 |
| 2024 | 14 | 6.31 |
| 2023 | 7 | 5.11 |
| 2022 | 8 | 6.80 |
| 2021 | 2 | 7.50 |
| 2020 | 24 | 5.64 |
| 2019 | 30 | 7.29 |
| 2018 | 56 | 6.64 |
It may take a day or so for new Openstack vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Openstack Security Vulnerabilities
AngularJS 1.2+ SCE Bypass Enables JS Execution
CVE-2026-11998
7.6 - High
- June 24, 2026
A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session. SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs. This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3. Note: The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see the End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .
Incomplete Filtering of Special Elements
Erlang OTP erts(inet_drv) stack overflow via SCTP ERROR prior 27.3.4.13
CVE-2026-49759
8.2 - High
- June 10, 2026
Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service. A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.
Stack Overflow
ansible authorized_key LPE via untrusted symlink
CVE-2026-11837
7.3 - High
- June 10, 2026
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
insecure temporary file
Unauth Service Crash via Crafted JSON in OpenStack Ironic 32-35.0.1
CVE-2026-50589
7.5 - High
- June 04, 2026
In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.
Allocation of Resources Without Limits or Throttling
OpenStack oslo.messaging TLS Hostname Verification Bypass (1.0.0-17.3.0)
CVE-2026-44393
7.4 - High
- June 04, 2026
An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. Any certificate signed by the deployment CA is accepted regardless of hostname, allowing an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected.
Improper Validation of Certificate with Host Mismatch
OpenStack Mistral RCE via API before 22.0.0
CVE-2026-41283
9.9 - Critical
- June 04, 2026
OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
AuthZ
Go crypto/x509 VerifyHostname DNS SAN quadratic overhead
CVE-2026-27145
7.5 - High
- June 02, 2026
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
Unchecked Input for Loop Condition
OpenStack Keystone Pre-29.0.2 Priv Esc via Impersonation + Trust
CVE-2026-43000
8.4 - High
- May 28, 2026
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
AuthZ
OpenStack Keystone RBAC Bypass via Untrusted JSON Merge (pre-29.0.2)
CVE-2026-42999
8.3 - High
- May 28, 2026
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
AuthZ
OTP public_key nameConstraints bypass via CN fallback (26.2.5.21)
CVE-2026-42790
7.4 - High
- May 27, 2026
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com): First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Improper Certificate Validation
Erlang/OTP public_key (pre-1.15.1) Bypass Chain-of-Trust via Non-CA
CVE-2026-42789
8 - High
- May 27, 2026
Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement. Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim's trust store, can use that certificate's private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers. This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Improper Certificate Validation
golang.org/x/net/idna pre-0.55.0 IDN bug allows silent ASCII/Unicode mix
CVE-2026-39821
8.2 - High
- May 22, 2026
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Improper Validation of Unsafe Equivalence in Input
Auth Bypass in golang.org/x/crypto/ssh <0.52.0
CVE-2026-46595
7.1 - High
- May 22, 2026
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
AuthZ
KnownHosts Revocation Check Failure in golang.org/x/crypto/ssh<0.52.0
CVE-2026-42508
7.4 - High
- May 22, 2026
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
Improper Certificate Validation
SSH Auth PartialSuccessError Permissions Discarded (golang.org/x/crypto/ssh <0.52.0)
CVE-2026-39828
8.8 - High
- May 22, 2026
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Improper Preservation of Permissions
go/crypto/ssh CPU DoS via oversized RSA/DSA keys before 0.52
CVE-2026-39829
7.5 - High
- May 22, 2026
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Improper Validation of Specified Quantity in Input
Resource Leak in golang.org/x/crypto/ssh <0.52.0 via Global Request Buffers
CVE-2026-39830
7.5 - High
- May 22, 2026
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Missing Release of Resource after Effective Lifetime
SSH Agent Constraint-Serialization Bug (v<0.52.0)
CVE-2026-39832
8.7 - High
- May 22, 2026
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
Improper Preservation of Permissions
golang.org/x/crypto/ssh: CertChecker nil callback panic <0.52.0
CVE-2026-39835
7.5 - High
- May 22, 2026
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
NULL Pointer Dereference
Unbound <1.25.1 DoS via Excess EDNS Options
CVE-2026-41292
7.5 - High
- May 20, 2026
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).
Inefficient Algorithmic Complexity
RCE via Insecure Deserialization in APScheduler JSON/CBOR ser (4.0.0a5)
CVE-2026-31072
8.8 - High
- May 19, 2026
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers
Marshaling, Unmarshaling
urllib3 2.6.0-<2.7.0 Decompress Whole Response DoS via Brotli
CVE-2026-44432
7.5 - High
- May 13, 2026
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Data Amplification
Go net/mail 1.25.x-1.26.3: ParseAddress/Date CPU/Memory Exhaustion
CVE-2026-39820
7.5 - High
- May 07, 2026
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Unchecked Input for Loop Condition
DoS via consumePhrase in Go net/mail RFC 5322 parsing <1.26.3
CVE-2026-42499
7.5 - High
- May 07, 2026
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Creation of Immutable Text Using String Concatenation
Double-free CVE-2026-33811 via LookupCNAME in Go net (<=1.26.2)
CVE-2026-33811
7.5 - High
- May 07, 2026
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
1341
Open vSwitch FTP Helper Heap OOB Leads to DoS
CVE-2026-34956
5.9 - Medium
- May 05, 2026
A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.
Classic Buffer Overflow
Apache Thrift CVE-2026-43869: Improper Cert Host Mismatch before 0.23.0
CVE-2026-43869
7.3 - High
- May 05, 2026
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Improper Validation of Certificate with Host Mismatch
OpenStack Ironic idrac Remote Credential Exposure <=35.0.1
CVE-2026-42997
7.7 - High
- May 05, 2026
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
Incorrect Resource Transfer Between Spheres
Heap Exhaustion via Unvalidated Len in Prometheus Remote Read (<3.5.3/3.11.3)
CVE-2026-42154
7.5 - High
- May 04, 2026
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Resource Exhaustion
Prometheus OAuth Client Secret Exposure via /-/config (pre 3.5.3/3.11.3)
CVE-2026-42151
7.5 - High
- May 04, 2026
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Information Disclosure
Keystone /v3/credentials Unvalidated project_id Enables EC2 Token Cross-Project Lateral Movement
CVE-2026-43001
8 - High
- May 01, 2026
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
AuthZ
Apache Thrift Go TFramedTransport Integer Overflow (<0.23.0)
CVE-2026-41602
7.5 - High
- April 28, 2026
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Integer Overflow or Wraparound
Apache Thrift 0.23+ Mismatched Memory Mgmt Routines Vulnerability
CVE-2025-48431
7.5 - High
- April 28, 2026
Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.
Mismatched Memory Management Routines
Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32280
7.5 - High
- April 08, 2026
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Allocation of Resources Without Limits or Throttling
Go crypto/tls TLS 1.3 KeyUpdate deadlock DoS (1.25.9 & <1.26.2)
CVE-2026-32283
7.5 - High
- April 08, 2026
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Multiple Locks of a Critical Resource
Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810
8.8 - High
- April 08, 2026
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Improper Validation of Unsafe Equivalence in Input
Erlang OTP (inets) Auth Bypass via script_alias (v17.0-28.4.2)
CVE-2026-28808
7.4 - High
- April 07, 2026
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
AuthZ
Erlang OTP 27.0-28.4.2: Improper Cert Validation in pubkey_ocsp (OCA Responder Bypass)
CVE-2026-32144
7.4 - High
- April 07, 2026
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.
Improper Certificate Validation
GoJOSE JWE Decrypt Panic (DoS) Fixed v4.1.4/3.0.5
CVE-2026-34986
7.5 - High
- April 06, 2026
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Uncaught Exception
OpenStack Glance SSRF via Import Redirect (<29.1.1, 30.0.030.1.0, 31.0.0)
CVE-2026-34881
7.1 - High
- March 31, 2026
OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.
SSRF
Go jsonparser Delete Negative Slice Index DoS
CVE-2026-32285
7.5 - High
- March 26, 2026
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Improper Validation of Specified Index, Position, or Offset in Input
gRPC-Go Auth Bypass (1.79.2) via noncanonical :path
CVE-2026-33186
9.1 - Critical
- March 20, 2026
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
AuthZ
UltraJSON 5.10-5.11 INDENT Overflow & Infinite Loop in ujson.dumps() until 5.12
CVE-2026-32875
7.5 - High
- March 20, 2026
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
Integer Overflow or Wraparound
UltraJSON v5.4.05.11.0 Memory Leak via Large Integers (Denial of Service)
CVE-2026-32874
7.5 - High
- March 20, 2026
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.
Memory Leak
pyOpenSSL CVE-2026-27459: Buffer Overflow via cookie callback (22.0.0-26.0.0)
CVE-2026-27459
8.1 - High
- March 17, 2026
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.
Classic Buffer Overflow
Go <1.26: crypto/x509 Email Constraint Bug
CVE-2026-27137
7.5 - High
- March 06, 2026
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Improper Certificate Validation
Go net/url Host Validation Flaw in Parse (v<1.25.8, <1.26.1)
CVE-2026-25679
7.5 - High
- March 06, 2026
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Improper Validation of Syntactic Correctness of Input
Docker CLI Windows Low-Priv PrivEsc via Malicious CLI Plugins (<=29.1.5)
CVE-2025-15558
7.3 - High
- March 04, 2026
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user. This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager package, such as Docker Compose. This issue does not impact non-Windows binaries, and projects not using the plugin-manager code.
DLL preloading
OpenStack Nova 30.2.2/31.2.1/32.1.1: Flat Image Backend Unsafe Resize
CVE-2026-24708
7.1 - High
- February 18, 2026
An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
Incorrect Resource Transfer Between Spheres
Django SQLi via order_by alias before 6.0.2/5.2.11/4.2.28
CVE-2026-1312
8.5 - High
- February 03, 2026
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Openstack or by Red Hat? Click the Watch button to subscribe.