CVE-2026-46447 PUBLISHED

Assigner: mitre
Reserved: 14.05.2026 Published: 03.06.2026 Updated: 04.06.2026

OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
CVSS Score: 5.8

Product Status

Vendor OpenStack
Product Ironic
Versions Default: unaffected
  • affected from 17.0.0 to 26.1.7 (excl.)
  • affected from 27.0.0 to 29.0.6 (excl.)
  • affected from 30.0.0 to 32.0.2 (excl.)
  • affected from 33.0.0 to 35.0.2 (excl.)

References

Problem Types

  • CWE-669 Incorrect Resource Transfer Between Spheres CWE