CVE-2026-54421
MEDIUM EPSS 20.7%
Published Jun 14, 20262w ago · Modified Jun 17, 20261w ago
6.8 CVSS 3.1
Published Jun 14, 2026 2w ago
Last Modified Jun 17, 2026 1w ago
Description
In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
20.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-212
References 3
- openwall.com http://www.openwall.com/lists/oss-security/2026/06/16/10
- bugs.launchpad.net https://bugs.launchpad.net/ironic/+bug/2155049
- security.openstack.org https://security.openstack.org/ossa/OSSA-2026-023.html
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.