CVE-2026-48681: OpenStack Ironic Directory Traversal File Overwrite (MEDIUM)
OpenStack Ironic, a bare-metal provisioning service, contains a directory traversal vulnerability that allows authenticated administrators to overwrite arbitrary files on the system during deployment when using a specially crafted ISO image. An attacker with high-level privileges can exploit this during the boot image creation process to alter critical system files or configuration, potentially compromising the integrity of deployed infrastructure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-23
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-48681 is a path traversal flaw in OpenStack Ironic versions prior to 35.0.2 that arises from insufficient validation of ISO image contents during deployment. The vulnerability maps to CWE-23 (Relative Path Traversal) and permits an authenticated high-privileged user to supply a malicious ISO with directory traversal sequences in file paths. When Ironic processes this image, it writes files to unintended locations on the host filesystem, bypassing intended access controls. The attack surface is limited by the requirement for high administrative privileges and non-trivial setup, reflected in the CVSS vector's AC:H (attack complexity: high) rating.
Business impact
This vulnerability poses a confidentiality and integrity risk to OpenStack deployments. While exploitation requires high-privilege credentials, a compromised administrator account or insider threat could leverage this to alter system configurations, inject backdoors, or expose sensitive deployment data. For organizations running Ironic in production bare-metal environments, successful exploitation could lead to persistent infrastructure compromise, supply-chain contamination of deployed workloads, or cascading failures across physical assets under Ironic management.
Affected systems
OpenStack Ironic deployments running versions before 35.0.2 are affected. This includes both community and commercial OpenStack distributions that bundle or integrate Ironic for bare-metal provisioning. Version 35.0.2 and later contain the fix. Organizations should verify their exact Ironic version via `ironic-conductor --version` or by checking the release notes in their OpenStack distribution.
Exploitability
Exploitation is moderately difficult in practice. The attacker must possess high-privilege administrator credentials (PR:H in CVSS), and the attack requires manual crafting of a malicious ISO image combined with knowledge of Ironic's deployment workflow. No public exploit code has been reported, and the vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation in the wild at this time. However, the barrier to exploitation is substantially lower for insiders or accounts with admin-level access.
Remediation
Upgrade OpenStack Ironic to version 35.0.2 or later. Organizations should prioritize patching in environments where Ironic manages production bare-metal infrastructure or where non-root administrative accounts exist. In the interim, restrict ISO upload and deployment privileges to a minimal set of trusted operators, implement file integrity monitoring on critical system directories during deployments, and audit Ironic deployment logs for suspicious image sources or file operations.
Patch guidance
Obtain version 35.0.2 or later from the official OpenStack release channels or your distribution maintainer. Test the patch in a non-production environment first to verify compatibility with your Ironic deployment (particularly any custom plugins or integrations). Standard OpenStack upgrade procedures apply: update the Ironic conductor and API services, and verify service health through `openstack baremetal conductor list` and conductor logs. No database migrations are indicated, but consult the OpenStack Ironic 35.0.2 release notes for any additional upgrade steps specific to your configuration.
Detection guidance
Monitor for anomalous file creation or modification in unexpected paths on Ironic compute nodes during ISO deployments. Examine Ironic conductor logs for errors related to file operations with unusual paths containing traversal sequences (../ or similar). Use auditd rules to track file writes to sensitive system directories (/etc, /usr/local/bin, etc.) that occur during bare-metal instance provisioning. Network-based detection is limited; focus on host-level file integrity monitoring and conductor audit logs. Check Ironic API request logs for deployments using ISO images from untrusted or unexpected sources.
Why prioritize this
Although this vulnerability carries a MEDIUM CVSS score (5.9), prioritize patching because it affects infrastructure-layer services that govern bare-metal deployments. The high-privilege requirement reduces immediate risk for most organizations, but the potential for persistent infrastructure compromise and the centrality of Ironic to bare-metal cloud operations warrant timely remediation. The absence from the KEV catalog indicates it is not currently a mass-exploitation target, providing a window for controlled patching.
Risk score, explained
The CVSS 3.1 score of 5.9 reflects a network-accessible service (AV:N) with high attack complexity (AC:H) requiring high privileges (PR:H), but with high impact on confidentiality and integrity (C:H/I:H/A:N). The score appropriately captures that while the vulnerability is serious, real-world exploitation is constrained by privilege and complexity requirements. Organizations with strict privilege separation and audit controls will see lower practical risk than those with permissive administrator account policies.
Frequently asked questions
Can an unauthenticated user exploit this vulnerability?
No. The vulnerability requires high-privilege administrator credentials (PR:H in CVSS terms). Unauthenticated users cannot access Ironic's deployment functions and cannot supply custom ISO images.
Is there a workaround if we cannot patch immediately?
Partial mitigation is possible by restricting ISO upload and deployment permissions to a minimal set of highly trusted operators, implementing mandatory code review of ISO contents before deployment, and enabling file integrity monitoring on critical directories. However, these do not eliminate the risk entirely—patching is the definitive fix.
Does this affect OpenStack distributions other than upstream?
Potentially, if the distribution bundles Ironic and has not yet released version 35.0.2 or a backported security patch. Contact your distribution maintainer or consult their security advisories to determine the fixed version applicable to your release.
What should we check in our logs if we suspect exploitation?
Search Ironic conductor logs for file operation errors, ISO processing warnings, or unexpected file creation outside standard deployment paths. Review file system audit logs (auditd) for writes to /etc or other critical directories during ISO deployments. Check Ironic API logs for unusual deployment requests with ISO images from unexpected sources or with suspicious file path patterns.
This analysis is provided for informational purposes and reflects publicly available information as of the modification date (2026-06-17). Verify all patch versions, compatibility, and deployment procedures against official OpenStack security advisories and your vendor's documentation. SEC.co makes no warranty regarding the accuracy or completeness of this analysis or the effectiveness of mitigations. Always conduct testing in non-production environments before applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-48977MEDIUMApache Ignite REST API Path Traversal – Authenticated File Read Vulnerability
- CVE-2026-10074MEDIUMDreamMaker Arbitrary File Read Vulnerability (MEDIUM)
- CVE-2025-41271HIGHWaterfall WF-500 Path Traversal – Arbitrary File Read Vulnerability
- CVE-2025-41280HIGHWaterfall WF-500 RX Host Path Traversal (Zip Slip) Code Execution Vulnerability
- CVE-2026-10073HIGHDreamMaker Arbitrary File Read via Relative Path Traversal
- CVE-2026-42998MEDIUMOpenStack Keystone Application Credential Authentication Bypass
- CVE-2026-42999MEDIUMOpenStack Keystone RBAC Bypass via JSON Request Body Injection
- CVE-2026-43000MEDIUMOpenStack Keystone Privilege Escalation via Application Credential Impersonation