OpenStack Ironic 35.0.1: PATCH on volume props leaks iSCSI creds: CVE-2026-54421 June 2026

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.

Vulnerability Analysis

CVE-2026-54421 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Products Associated with CVE-2026-54421

Want to know whenever a new CVE is published for OpenStack Ironic? stack.watch will email you.

OpenStack Ironic 35.0.1: PATCH on volume props leaks iSCSI creds
CVE-2026-54421 Published on June 14, 2026

Vulnerability Analysis

Weakness Type

Improper Removal of Sensitive Information Before Storage or Transfer

Products Associated with CVE-2026-54421

Affected Versions

OpenStack Ironic 35.0.1: PATCH on volume props leaks iSCSI credsCVE-2026-54421 Published on June 14, 2026

Vulnerability Analysis

Weakness Type

Improper Removal of Sensitive Information Before Storage or Transfer

Products Associated with CVE-2026-54421

Affected Versions

OpenStack Ironic 35.0.1: PATCH on volume props leaks iSCSI creds
CVE-2026-54421 Published on June 14, 2026