CVE-2026-41283
9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenStack | Mistral | 20.0.0 < 20.1.1 | affected |
| OpenStack | Mistral | 21.0.0 | affected |
| OpenStack | Mistral | 22.0.0 | affected |
Weaknesses
- CWE-863: CWE-863 Incorrect Authorization
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
openstack-mistral: OpenStack Mistral: Arbitrary Remote Code Execution via exposed API endpoints
Additional References
- https://access.redhat.com/security/cve/CVE-2026-41283
- https://bugzilla.redhat.com/show_bug.cgi?id=2484607
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41283.json
References
- https://github.com/openstack/mistral/tags
- https://www.openwall.com/lists/oss-security/2026/06/03/14
- https://security.openstack.org/ossa/OSSA-2026-020.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.