CVE Catalog

CVE-2026-54421

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

In OpenStack Ironic before version 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials.

Risk Assessment

The risk involves the potential exposure of sensitive information, which could lead to unauthorized access to resources. Organizations should be aware of the risks associated with the disclosure of credential data.

Recommendation

It is recommended to upgrade OpenStack Ironic to version 37.0.1 or later to mitigate this vulnerability. An audit of access to sensitive information should also be conducted.

Original NVD description (English source)

In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS