Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-28T04:53:10 OpenStack Ironic: ipmitool: OpenStack Ironic: Arbitrary Code Execution via Remote Hardware Management 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CWE-78

OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.

A flaw was found in OpenStack Ironic. When configured with a console interface in a non-default setup, this vulnerability allows an attacker to execute `ipmitool` commands. This unauthorized execution can lead to remote management of the underlying hardware, potentially resulting in arbitrary code execution, privilege escalation, and complete control over the affected system.

To mitigate this issue, avoid enabling the console interface in OpenStack Ironic if it is not strictly required for your operational needs. If the console interface is enabled, ensure that access to the OpenStack Ironic service is restricted to trusted administrative networks to prevent unauthorized `ipmitool` command execution. Any changes to Ironic configuration may require a service restart to take effect, which could impact ongoing bare metal provisioning operations. Red Hat OpenShift Container Platform 4 Fix deferred openstack-ironic Red Hat OpenStack Platform 16.2 Fix deferred openstack-ironic Red Hat OpenStack Platform 17.1 Fix deferred openstack-ironic Red Hat OpenStack Platform 18.0 Fix deferred openstack-ironic https://www.cve.org/CVERecord?id=CVE-2026-42510 https://nvd.nist.gov/vuln/detail/CVE-2026-42510 https://bugs.launchpad.net/ironic/+bug/2148331