{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-54421", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-06-14T03:49:37.600Z", "datePublished": "2026-06-14T03:49:37.996Z", "dateUpdated": "2026-06-16T22:38:18.549Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Ironic", "repo": "https://opendev.org/openstack/ironic", "vendor": "OpenStack", "versions": [{"lessThan": "29.0.6", "status": "affected", "version": "17.0.0", "versionType": "semver"}, {"lessThan": "32.0.2", "status": "affected", "version": "30.0.0", "versionType": "semver"}, {"lessThan": "35.0.2", "status": "affected", "version": "33.0.0", "versionType": "semver"}, {"lessThan": "37.0.1", "status": "affected", "version": "36.0.0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.0", "versionEndExcluding": "29.0.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "versionStartIncluding": "30.0.0", "versionEndExcluding": "32.0.2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "versionStartIncluding": "33.0.0", "versionEndExcluding": "35.0.2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "versionStartIncluding": "36.0.0", "versionEndExcluding": "37.0.1"}]}]}], "descriptions": [{"lang": "en", "value": "In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-212", "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-16T21:44:35.341Z"}, "references": [{"url": "https://bugs.launchpad.net/ironic/+bug/2155049"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-023.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T17:11:47.109616Z", "id": "CVE-2026-54421", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T17:11:57.707Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/16/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-16T22:38:18.549Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/16/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-16T22:38:18.549Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54421", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T17:11:47.109616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T17:11:51.775Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://opendev.org/openstack/ironic", "vendor": "OpenStack", "product": "Ironic", "versions": [{"status": "affected", "version": "17.0.0", "lessThan": "29.0.6", "versionType": "semver"}, {"status": "affected", "version": "30.0.0", "lessThan": "32.0.2", "versionType": "semver"}, {"status": "affected", "version": "33.0.0", "lessThan": "35.0.2", "versionType": "semver"}, {"status": "affected", "version": "36.0.0", "lessThan": "37.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://bugs.launchpad.net/ironic/+bug/2155049"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-023.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-212", "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "29.0.6", "versionStartIncluding": "17.0.0"}, {"criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "32.0.2", "versionStartIncluding": "30.0.0"}, {"criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "35.0.2", "versionStartIncluding": "33.0.0"}, {"criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "37.0.1", "versionStartIncluding": "36.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-16T21:44:35.341Z"}}}, "cveMetadata": {"cveId": "CVE-2026-54421", "state": "PUBLISHED", "dateUpdated": "2026-06-16T22:38:18.549Z", "dateReserved": "2026-06-14T03:49:37.600Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-06-14T03:49:37.996Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue."}], "id": "CVE-2026-54421", "lastModified": "2026-06-16T15:51:29.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-06-14T04:16:30.927", "references": [{"source": "cve@mitre.org", "url": "https://bugs.launchpad.net/ironic/+bug/2155049"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-212"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "openstack ironic: OpenStack Ironic: Information disclosure via PATCH request on volume properties", "id": "2488721", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488721"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.", "A flaw was found in OpenStack Ironic. When an authorized user applies a PATCH operation to update volume properties, the system can inadvertently expose sensitive information, such as iSCSI credentials. This information disclosure vulnerability allows an attacker to gain access to credentials that should remain confidential."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-54421", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openstack-ironic", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "openstack-ironic", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "openstack-ironic", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "openstack-ironic", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-06-14T03:49:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-54421\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-54421\nhttps://bugs.launchpad.net/ironic/+bug/2155049"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,35.0.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Ironic", "source": "cna", "vendor": "OpenStack"}, "product": "ironic", "vendor": "openstack"}], "created": "2026-06-14T05:30:07.216855+00:00", "updated": "2026-06-17T22:15:02.513321+00:00", "vendors": ["openstack", "openstack$PRODUCT$ironic"]}