CVE-2026-44916

NameCVE-2026-44916
DescriptionIn OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6341-1
Debian Bugs1136005

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ironic (PTS)bullseye1:16.0.3-1vulnerable
bookworm1:21.1.0-3vulnerable
bookworm (security)1:21.4.4-0+deb12u1fixed
trixie1:29.0.0-7vulnerable
trixie (security)1:29.0.5-0+deb13u2fixed
forky1:35.0.1-5fixed
sid1:35.0.1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ironicsourcebookworm1:21.4.4-0+deb12u1DSA-6341-1
ironicsourcetrixie1:29.0.5-0+deb13u2DSA-6341-1
ironicsource(unstable)1:35.0.1-21136005

Notes

[bullseye] - ironic <no-dsa> (Minor issue)
https://bugs.launchpad.net/ironic/+bug/2148307
https://review.opendev.org/c/openstack/ironic/+/987514
Search for package or bug name: Reporting problems