Vulnerability Description
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Vitrage | < 12.01 |
Related Weaknesses (CWE)
References
- https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02afIssue Tracking
- https://storyboard.openstack.org/#%21/story/2011539ExploitIssue TrackingVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/03/03/6
FAQ
What is CVE-2026-28370?
CVE-2026-28370 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitr...
How severe is CVE-2026-28370?
CVE-2026-28370 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-28370?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Vitrage.