OSSA-2026-019: File Extraction from Ironic conductor via pxe_template¶
- Date:
June 03, 2026
- CVE:
CVE-2026-44917
Affects¶
Ironic: >=17.0.0 <26.1.7, >=27.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2
Description¶
Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology) from the Metal3.io Security Team reported a vulnerability in Ironic’s boot interfaces. A project owner or manager with access to modify node.driver_info[pxe_template] can set it to /etc/ironic/ironic.conf or any other sensitive file readable by the conductor process. Ironic will then place this “template file” into a TFTP or HTTP server for netbooting, where it can be fetched by anything with network access to the conductor.
Ironic intends on completely removing this feature in a future release.
Patches¶
https://review.opendev.org/c/openstack/ironic/+/991389 (2023.1/antelope (unmaintained))
https://review.opendev.org/c/openstack/ironic/+/991385 (2024.1/caracal (unmaintained))
https://review.opendev.org/c/openstack/ironic/+/991382 (2025.1/epoxy)
https://review.opendev.org/c/openstack/ironic/+/991379 (2025.2/flamingo)
https://review.opendev.org/c/openstack/ironic/+/991376 (2026.1/gazpacho)
https://review.opendev.org/c/openstack/ironic/+/991367 (2026.2/hibiscus (development))
https://review.opendev.org/c/openstack/ironic/+/991373 (Bugfix/33.0)
https://review.opendev.org/c/openstack/ironic/+/991370 (Bugfix/34.0)
Credits¶
Dmitry Tantsur from Red Hat
Tuomo Tanskanen from Ericsson Software Technology
References¶
Notes¶
Releases 2024.1 (caracal) and 2023.1 (antelope) are unmaintained. Patches are provided as a courtesy. Releases 2023.2 (bobcat) and 2024.2 (dalmation) are end of life and have not had patches provided. See https://releases.openstack.org for more information on supported releases.
Ironic bugfix branch patches will be available in git for interested operators. We will not perform an additional release from these branches.
