[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7b4285aa-f28b-4dc8-9d70-d34eeb19977e@gmail.com>
Date: Wed, 3 Jun 2026 09:30:31 -0700
From: Goutham Pacha Ravi <gouthampravi@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2026-020] OpenStack Mistral: Mistral policy enforcement bypass
allows unauthorized public resource creation and arbitrary code execution
(CVE-2026-41283)
==========================================================================================================================
OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized
public resource creation and arbitrary code execution
==========================================================================================================================
:Date: June 03, 2026
:CVE: CVE-2026-41283
Affects
~~~~~~~
- Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0
Description
~~~~~~~~~~~
Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that
several Mistral API endpoints do not enforce access policies, allowing
any authenticated user to create public resources and upload arbitrary
code that executes on Mistral executor workers. An attacker could
extract sensitive data including service credentials from the worker.
Deployments exposing the Mistral API are affected.
Patches
~~~~~~~
- https://review.opendev.org/991416 (2025.1/epoxy)
- https://review.opendev.org/991417 (2025.1/epoxy)
- https://review.opendev.org/991418 (2025.1/epoxy)
- https://review.opendev.org/991419 (2025.1/epoxy)
- https://review.opendev.org/991420 (2025.1/epoxy)
- https://review.opendev.org/991421 (2025.1/epoxy)
- https://review.opendev.org/991422 (2025.1/epoxy)
- https://review.opendev.org/991423 (2025.1/epoxy)
- https://review.opendev.org/991408 (2025.2/flamingo)
- https://review.opendev.org/991409 (2025.2/flamingo)
- https://review.opendev.org/991410 (2025.2/flamingo)
- https://review.opendev.org/991411 (2025.2/flamingo)
- https://review.opendev.org/991412 (2025.2/flamingo)
- https://review.opendev.org/991413 (2025.2/flamingo)
- https://review.opendev.org/991414 (2025.2/flamingo)
- https://review.opendev.org/991415 (2025.2/flamingo)
- https://review.opendev.org/991400 (2026.1/gazpacho)
- https://review.opendev.org/991401 (2026.1/gazpacho)
- https://review.opendev.org/991402 (2026.1/gazpacho)
- https://review.opendev.org/991403 (2026.1/gazpacho)
- https://review.opendev.org/991404 (2026.1/gazpacho)
- https://review.opendev.org/991405 (2026.1/gazpacho)
- https://review.opendev.org/991406 (2026.1/gazpacho)
- https://review.opendev.org/991407 (2026.1/gazpacho)
- https://review.opendev.org/991392 (2026.2/hibiscus)
- https://review.opendev.org/991393 (2026.2/hibiscus)
- https://review.opendev.org/991394 (2026.2/hibiscus)
- https://review.opendev.org/991395 (2026.2/hibiscus)
- https://review.opendev.org/991396 (2026.2/hibiscus)
- https://review.opendev.org/991397 (2026.2/hibiscus)
- https://review.opendev.org/991398 (2026.2/hibiscus)
- https://review.opendev.org/991399 (2026.2/hibiscus)
Credits
~~~~~~~
- Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283)
- Arnaud Morin from OVHcloud (CVE-2026-41283)
References
~~~~~~~~~~
- https://launchpad.net/bugs/2147178
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41283
--
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html
Download attachment "OpenPGP_0x0638DAD3B82C3988.asc" of type "application/pgp-keys" (3241 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
