CVE-2026-54421 PUBLISHED

Assigner: mitre
Reserved: 14.06.2026 Published: 14.06.2026 Updated: 14.06.2026

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 6.8

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	OpenStack
Product	Ironic
Versions	Default: unaffected affected from 0 to 35.0.1 (incl.)

References

https://bugs.launchpad.net/ironic/+bug/2155049

Problem Types

CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer CWE