CVE-2026-28370 PUBLISHED

Assigner: mitre
Reserved: 27.02.2026 Published: 27.02.2026 Updated: 27.02.2026

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	OpenStack
Product	Vitrage
Versions	Default: unknown affected from 0 to 12.0.1 (excl.) Version 13.0.0 is affected Version 14.0.0 is affected Version 15.0.0 is affected

References

Problem Types

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE