Three vulnerabilities (CVE-2026-48681 CVSS 5.9, CVE-2026-46447 CVSS 5.8, CVE-2026-44917 CVSS 4.9) in OpenStack Ironic allow a privileged authenticated remote user to perform path traversal and arbitrary file overwrite via crafted ISO images, inject scripts during node boot via kernel command line parameters, and read arbitrary sensitive files via custom PXE templates. Affected versions are Ironic 17.0.0 to below 26.1.7, 27.0.0 to below 29.0.6, 30.0.0 to below 32.0.2, and 33.0.0 to below 35.0.2. The vulnerabilities are fixed in versions 26.1.7, 29.0.6, 32.0.2, and 35.0.2.
Dmitry Tantsur and Tuomo Tanskanen discovered that Ironic did not properly validate file paths when handling ISO images. A privileged authenticated remote user could use this issue to perform path traversal via a crafted ISO image and overwrite arbitrary files on the Ironic conductor. (CVE-2026-48681) Dmitry Tantsur and Tuomo Tanskanen discovered that Ironic did not properly validate kernel command line parameters. A privileged authenticated remote user could use this issue to inject scripts during node boot and possibly execute arbitrary code. (CVE-2026-46447) Dmitry Tantsur and Tuomo Tanskanen discovered that Ironic incorrectly restricted access to custom PXE templates. A privileged authenticated remote user could use this issue to read arbitrary sensitive files on the Ironic conductor. (CVE-2026-44917)