OpenStack Ironic Python Agent Vulnerability CVE-2026-43003 Allows Code Execution
The National Vulnerability Database has identified CVE-2026-43003, a critical vulnerability impacting OpenStack’s ironic-python-agent versions 1.0.0 through 11.5.0. The issue stems from the agent’s handling of grub-install within a chroot environment of a deployed partition image. This mechanism can be exploited by a malicious image to achieve arbitrary code execution on the underlying system, posing a significant risk to cloud infrastructure deployments.
This vulnerability, with a CVSS score of 8 (HIGH), allows an attacker with low privileges and the ability to provide a malicious image to compromise the integrity and availability of the affected OpenStack deployments. The attack vector is described as adjacent (AV:A), requiring a high level of complexity (AC:H) but carrying severe consequences across confidentiality, integrity, and availability (C:H/I:H/A:H) with a scope change (S:C).
What This Means For You
- If your organization utilizes OpenStack ironic-python-agent, you must immediately review the affected versions (1.0.0 through 11.5.0) and assess your patching status. Prioritize upgrades to mitigate the risk of code execution via compromised deployment images.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43003 - Ironic Python Agent Grub Install Chroot Execution
title: CVE-2026-43003 - Ironic Python Agent Grub Install Chroot Execution
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
Detects the execution of 'grub-install' with the '--chroot' argument, which is the specific mechanism exploited by CVE-2026-43003. This indicates that the Ironic Python Agent is attempting to install GRUB within a chroot environment, potentially leading to code execution if a malicious image is used.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43003/
tags:
- attack.persistence
- attack.t1574.002
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'grub-install'
CommandLine|contains:
- '--chroot'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43003 | Code Execution | OpenStack ironic-python-agent versions 1.0.0 through 11.5.0 |
| CVE-2026-43003 | Code Execution | ironic-python-agent executing grub-install from within a chroot of a malicious deployed partition image |
| CVE-2026-43003 | Code Execution | Vulnerable code in ironic_python_agent/efi_utils.py#L134-L139 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7567: WordPress Temporary Login Plugin Critical Auth Bypass
CVE-2026-7567 — The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper...
OpenStack Keystone CVE-2026-43001 Allows Cross-Project Lateral Movement
CVE-2026-43001 — An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential...
CVE-2026-42403: Apache Neethi DoS Vulnerability via Circular References
CVE-2026-42403 — Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references...