========================================================================================================== OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via Ironic's idrac Configuration molds Feature ========================================================================================================== :Date: May 05, 2026 :CVE: CVE-2026-42997 Affects ~~~~~~~ - Ironic: >=17.0.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1 Description ~~~~~~~~~~~ Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team reported a vulnerability in Ironic's configuration mold import code for idrac. When importing a configuration mold, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. Operators choose the URL and the attacker has to already be authenticated with permissions to execute clean/deploy steps, but the arbitrary URL for the authorization request is user-controlled and not validated by Ironic. Patches ~~~~~~~ - https://review.opendev.org/c/openstack/ironic/+/986817 (2023.1/antelope (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/986816 (2024.1/caracal (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/986815 (2024.2/dalmatian) - https://review.opendev.org/c/openstack/ironic/+/986767 (2025.1/epoxy) - https://review.opendev.org/c/openstack/ironic/+/986737 (2025.2/flamingo) - https://review.opendev.org/c/openstack/ironic/+/986725 (2026.1/gazpacho) Credits ~~~~~~~ - Dmitry Tantsur from Metal3.io Security Team - Tuomo Tanskanen from Metal3.io Security Team References ~~~~~~~~~~ - https://bugs.launchpad.net/ironic/+bug/2148317 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42997 Notes ~~~~~ - The molds feature was deprecated in the 2024.1 (Caracal) release and has been removed during development of the 2026.2 (Hibiscus) release.