CVE-2026-54421 MEDIUM

CVE-2026-54421

Vendor Openstack
Product Ironic
Weakness CWE-212
Published June 14, 2026
Last update June 15, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.

Key dates

02Disclosure timeline

June 14, 2026 CVE published
June 15, 2026 Record updated