CVE-2026-44918
highCVSS v3 Base Score
8.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Confidentiality
High
Integrity
High
Availability
None
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in OpenStack Ironic. An authenticated project manager can change the node associated with Volume Connectors or Volume Target objects, potentially changing the project permitted to access the object. Volume Connectors contain secrets in environments configuring boot from volume with iSCSI volumes. Additionally, a project manager with the ability to create nodes can use the UUID of a node not owned by their project as a parent node when creating a new node. This mismatched child node can then be used to impact operations on the parent, such as forcing it to power on.
CWE
CWE-1220Affected Products
Red Hat OpenShift Container Platform 4Red Hat OpenStack Platform 16.2Red Hat OpenStack Platform 17.1Red Hat OpenStack Platform 18.0