Vulnerability Details CVE-2026-42997
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 28.8%
CVSS Severity
CVSS v3 Score 7.7
References
Products affected by CVE-2026-42997
-
cpe:2.3:a:openstack:ironic:17.0.0
-
cpe:2.3:a:openstack:ironic:17.0.1
-
cpe:2.3:a:openstack:ironic:17.0.2
-
cpe:2.3:a:openstack:ironic:17.0.3
-
cpe:2.3:a:openstack:ironic:17.0.4
-
cpe:2.3:a:openstack:ironic:17.1.0
-
cpe:2.3:a:openstack:ironic:18.0.0
-
cpe:2.3:a:openstack:ironic:18.1.0
-
cpe:2.3:a:openstack:ironic:18.2.0
-
cpe:2.3:a:openstack:ironic:18.2.1
-
cpe:2.3:a:openstack:ironic:18.2.2
-
cpe:2.3:a:openstack:ironic:18.3.0
-
cpe:2.3:a:openstack:ironic:19.0.0
-
cpe:2.3:a:openstack:ironic:20.0.0
-
cpe:2.3:a:openstack:ironic:20.1.0
-
cpe:2.3:a:openstack:ironic:20.1.1
-
cpe:2.3:a:openstack:ironic:20.1.2
-
cpe:2.3:a:openstack:ironic:20.1.3
-
cpe:2.3:a:openstack:ironic:20.2.0
-
cpe:2.3:a:openstack:ironic:21.0.0
-
cpe:2.3:a:openstack:ironic:21.1.0
-
cpe:2.3:a:openstack:ironic:21.1.1
-
cpe:2.3:a:openstack:ironic:21.1.2
-
cpe:2.3:a:openstack:ironic:21.2.0
-
cpe:2.3:a:openstack:ironic:21.3.0
-
cpe:2.3:a:openstack:ironic:21.4.0
-
cpe:2.3:a:openstack:ironic:21.4.1
-
cpe:2.3:a:openstack:ironic:21.4.2
-
cpe:2.3:a:openstack:ironic:21.4.3
-
cpe:2.3:a:openstack:ironic:21.4.4
-
cpe:2.3:a:openstack:ironic:22.0.0
-
cpe:2.3:a:openstack:ironic:22.1.0
-
cpe:2.3:a:openstack:ironic:23.0.0
-
cpe:2.3:a:openstack:ironic:23.0.1
-
cpe:2.3:a:openstack:ironic:23.0.2
-
cpe:2.3:a:openstack:ironic:23.0.3
-
cpe:2.3:a:openstack:ironic:23.0.4
-
cpe:2.3:a:openstack:ironic:23.0.5
-
cpe:2.3:a:openstack:ironic:23.1.0
-
cpe:2.3:a:openstack:ironic:24.0.0
-
cpe:2.3:a:openstack:ironic:24.1.0
-
cpe:2.3:a:openstack:ironic:24.1.1
-
cpe:2.3:a:openstack:ironic:24.1.2
-
cpe:2.3:a:openstack:ironic:24.1.3
-
cpe:2.3:a:openstack:ironic:24.1.4
-
cpe:2.3:a:openstack:ironic:24.1.5
-
cpe:2.3:a:openstack:ironic:25.0.0
-
cpe:2.3:a:openstack:ironic:26.0.0
-
cpe:2.3:a:openstack:ironic:26.1.0
-
cpe:2.3:a:openstack:ironic:26.1.1
-
cpe:2.3:a:openstack:ironic:26.1.2
-
cpe:2.3:a:openstack:ironic:26.1.3
-
cpe:2.3:a:openstack:ironic:26.1.4
-
cpe:2.3:a:openstack:ironic:26.1.5
-
cpe:2.3:a:openstack:ironic:27.0.0
-
cpe:2.3:a:openstack:ironic:28.0.0
-
cpe:2.3:a:openstack:ironic:29.0.0
-
cpe:2.3:a:openstack:ironic:29.0.1
-
cpe:2.3:a:openstack:ironic:29.0.2
-
cpe:2.3:a:openstack:ironic:29.0.3
-
cpe:2.3:a:openstack:ironic:29.0.4
-
cpe:2.3:a:openstack:ironic:30.0.0
-
cpe:2.3:a:openstack:ironic:31.0.0
-
cpe:2.3:a:openstack:ironic:32.0.0
-
cpe:2.3:a:openstack:ironic:33.0.0
-
cpe:2.3:a:openstack:ironic:34.0.0
-
cpe:2.3:a:openstack:ironic:35.0.0