OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution¶

Date:: June 03, 2026
CVE:: CVE-2026-41283

Affects¶

Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0

Description¶

Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that several Mistral API endpoints do not enforce access policies, allowing any authenticated user to create public resources and upload arbitrary code that executes on Mistral executor workers. An attacker could extract sensitive data including service credentials from the worker. Deployments exposing the Mistral API are affected.

Patches¶

https://review.opendev.org/991416 (2025.1/epoxy)
https://review.opendev.org/991417 (2025.1/epoxy)
https://review.opendev.org/991418 (2025.1/epoxy)
https://review.opendev.org/991419 (2025.1/epoxy)
https://review.opendev.org/991420 (2025.1/epoxy)
https://review.opendev.org/991421 (2025.1/epoxy)
https://review.opendev.org/991422 (2025.1/epoxy)
https://review.opendev.org/991423 (2025.1/epoxy)
https://review.opendev.org/991408 (2025.2/flamingo)
https://review.opendev.org/991409 (2025.2/flamingo)
https://review.opendev.org/991410 (2025.2/flamingo)
https://review.opendev.org/991411 (2025.2/flamingo)
https://review.opendev.org/991412 (2025.2/flamingo)
https://review.opendev.org/991413 (2025.2/flamingo)
https://review.opendev.org/991414 (2025.2/flamingo)
https://review.opendev.org/991415 (2025.2/flamingo)
https://review.opendev.org/991400 (2026.1/gazpacho)
https://review.opendev.org/991401 (2026.1/gazpacho)
https://review.opendev.org/991402 (2026.1/gazpacho)
https://review.opendev.org/991403 (2026.1/gazpacho)
https://review.opendev.org/991404 (2026.1/gazpacho)
https://review.opendev.org/991405 (2026.1/gazpacho)
https://review.opendev.org/991406 (2026.1/gazpacho)
https://review.opendev.org/991407 (2026.1/gazpacho)
https://review.opendev.org/991392 (2026.2/hibiscus)
https://review.opendev.org/991393 (2026.2/hibiscus)
https://review.opendev.org/991394 (2026.2/hibiscus)
https://review.opendev.org/991395 (2026.2/hibiscus)
https://review.opendev.org/991396 (2026.2/hibiscus)
https://review.opendev.org/991397 (2026.2/hibiscus)
https://review.opendev.org/991398 (2026.2/hibiscus)
https://review.opendev.org/991399 (2026.2/hibiscus)

Credits¶

Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283)
Arnaud Morin from OVHcloud (CVE-2026-41283)

OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution

OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution¶

Affects¶

Description¶

Patches¶

Credits¶

References¶

Contents