OSSA-2026-025: RBAC Bypass in IPMI Raw Command Execution

Date:

July 08, 2026

CVE:

CVE-2026-54423

Affects

  • Ironic: >=22.1.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2, >=36.0.0 <37.0.1

Description

Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson Software Technology) of the Metal3.io Security Team descovered a vulnerability around IPMI management_interface. A malicious user with access to deploy a node directly via Ironic can specify the IPMI send_raw deployment step with a malicious payload and send commands to that nodes’ BMC. IPMI send_raw capability is exposed multiple ways, including via our VendorPassthru interfaces (restricted to system admin) and other step based flows such as cleaning or servicing. This also means any malicious user with the ability to initate manual cleaning and servicing flows with arbitrary steps can also execute this vulnerability. Operators can fix this issue by applying the provided patches which apply a blocklist forbidding use of the IPMI send_raw functionality in certain provisioning methods. Clouds currently using IPMI send_raw functionality should carefully review the behavior changes in the provided patches to ensure their workflows are not broken.

Patches

Credits

  • Dmitry Tantsur from Red Hat

  • Tuomo Tanskanen from Ericcson Software Technology

References

Notes

  • Ironic bugfix branch patches will be available in git for interested operators. We will not perform an additional release from these branches.