Common Weakness Enumeration

CWE-669

Allowed-with-Review

Incorrect Resource Transfer Between Spheres

Abstraction: Class · Status: Draft

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

144 vulnerabilities reference this CWE, most recent first.

CVE-2026-48847 (GCVE-0-2026-48847)

Vulnerability from cvelistv5 – Published: 2026-05-25 19:23 – Updated: 2026-05-26 13:02
VLAI
Summary
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
Affected: 1.7.0 , < 1.7.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48847",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T13:02:06.964955Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T13:02:10.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Webmail",
          "vendor": "Roundcube",
          "versions": [
            {
              "lessThan": "1.6.16",
              "status": "affected",
              "version": "1.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.7.1",
              "status": "affected",
              "version": "1.7.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.6.16",
                  "versionStartIncluding": "1.6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.7.1",
                  "versionStartIncluding": "1.7.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-25T19:23:40.853Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/a4eb375b98cc3d055de665c34efc729dd8ef272a"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-48847",
    "datePublished": "2026-05-25T19:23:40.853Z",
    "dateReserved": "2026-05-25T19:23:40.394Z",
    "dateUpdated": "2026-05-26T13:02:10.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48846 (GCVE-0-2026-48846)

Vulnerability from cvelistv5 – Published: 2026-05-25 19:21 – Updated: 2026-05-26 13:05
VLAI
Summary
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
Roundcube Webmail Affected: 1.6.0 , < 1.6.16 (semver)
Affected: 1.7.0 , < 1.7.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48846",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T13:05:47.625139Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T13:05:56.818Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Webmail",
          "vendor": "Roundcube",
          "versions": [
            {
              "lessThan": "1.6.16",
              "status": "affected",
              "version": "1.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.7.1",
              "status": "affected",
              "version": "1.7.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.6.16",
                  "versionStartIncluding": "1.6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.7.1",
                  "versionStartIncluding": "1.7.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-25T19:21:09.656Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/59cca80908a61e662c5f81741449e9aeb91e8abe"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-48846",
    "datePublished": "2026-05-25T19:21:09.656Z",
    "dateReserved": "2026-05-25T19:21:09.220Z",
    "dateUpdated": "2026-05-26T13:05:56.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48845 (GCVE-0-2026-48845)

Vulnerability from cvelistv5 – Published: 2026-05-25 19:18 – Updated: 2026-05-27 03:55
VLAI
Summary
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
Roundcube Webmail Affected: 1.6.14 , < 1.6.16 (semver)
Affected: 1.7.0 , < 1.7.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48845",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T03:55:26.292Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Webmail",
          "vendor": "Roundcube",
          "versions": [
            {
              "lessThan": "1.6.16",
              "status": "affected",
              "version": "1.6.14",
              "versionType": "semver"
            },
            {
              "lessThan": "1.7.1",
              "status": "affected",
              "version": "1.7.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.6.16",
                  "versionStartIncluding": "1.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.7.1",
                  "versionStartIncluding": "1.7.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-25T19:18:09.549Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/d82b8c6cd06c378eca6d647ccd548f4ff1c68659"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
        },
        {
          "url": "https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-48845",
    "datePublished": "2026-05-25T19:18:09.549Z",
    "dateReserved": "2026-05-25T19:18:09.073Z",
    "dateUpdated": "2026-05-27T03:55:26.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48831 (GCVE-0-2026-48831)

Vulnerability from cvelistv5 – Published: 2026-05-24 20:52 – Updated: 2026-05-27 03:55 Disputed
VLAI
Summary
Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
WineHQ Wine Affected: 0.9 , ≤ 11.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-25T03:07:02.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/25/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48831",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T03:55:47.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Wine",
          "programFiles": [
            "loader/wine.desktop"
          ],
          "repo": "https://gitlab.winehq.org/wine/wine",
          "vendor": "WineHQ",
          "versions": [
            {
              "lessThanOrEqual": "11.0",
              "status": "affected",
              "version": "0.9",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:winehq:wine:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "11.0",
                  "versionStartIncluding": "0.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine)."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/V:D/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-24T20:52:36.535Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.winehq.org/show_bug.cgi?id=59767"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/05/19/1"
        }
      ],
      "tags": [
        "disputed"
      ],
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Remove /usr/share/applications/wine.desktop from the system to unregister the MIME handler that introduces the vulnerability."
            }
          ],
          "value": "Remove /usr/share/applications/wine.desktop from the system to unregister the MIME handler that introduces the vulnerability."
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-48831",
    "datePublished": "2026-05-24T20:52:36.535Z",
    "dateReserved": "2026-05-24T20:52:35.810Z",
    "dateUpdated": "2026-05-27T03:55:47.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46448 (GCVE-0-2026-46448)

Vulnerability from cvelistv5 – Published: 2026-06-16 00:00 – Updated: 2026-06-17 12:17
VLAI
Summary
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
OpenStack Nova Affected: 18.0.0 , < 31.3.1 (semver)
Affected: 32.0.0 , < 32.2.1 (semver)
Affected: 33.0.0 , < 33.0.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-16T19:16:38.300Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/16/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46448",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T12:17:00.108810Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T12:17:30.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://bugs.launchpad.net/nova/+bug/2151252"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Nova",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "31.3.1",
              "status": "affected",
              "version": "18.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "32.2.1",
              "status": "affected",
              "version": "32.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "33.0.2",
              "status": "affected",
              "version": "33.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "31.3.1",
                  "versionStartIncluding": "18.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "32.2.1",
                  "versionStartIncluding": "32.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "33.0.2",
                  "versionStartIncluding": "33.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T19:06:32.026Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.launchpad.net/nova/+bug/2151252"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/06/16/5"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-46448",
    "datePublished": "2026-06-16T00:00:00.000Z",
    "dateReserved": "2026-05-14T00:00:00.000Z",
    "dateUpdated": "2026-06-17T12:17:30.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46447 (GCVE-0-2026-46447)

Vulnerability from cvelistv5 – Published: 2026-06-03 00:00 – Updated: 2026-06-15 22:40
VLAI
Summary
OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
OpenStack Ironic Affected: 17.0.0 , < 26.1.7 (semver)
Affected: 27.0.0 , < 29.0.6 (semver)
Affected: 30.0.0 , < 32.0.2 (semver)
Affected: 33.0.0 , < 35.0.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-15T22:40:19.590Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/03/11"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/15/9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46447",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T15:15:09.125776Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T15:17:37.440Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ironic",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "26.1.7",
              "status": "affected",
              "version": "17.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "29.0.6",
              "status": "affected",
              "version": "27.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "32.0.2",
              "status": "affected",
              "version": "30.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "35.0.2",
              "status": "affected",
              "version": "33.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.1.7",
                  "versionStartIncluding": "17.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.6",
                  "versionStartIncluding": "27.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "32.0.2",
                  "versionStartIncluding": "30.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "35.0.2",
                  "versionStartIncluding": "33.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T03:18:40.368Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.launchpad.net/ironic/+bug/2150624"
        },
        {
          "url": "https://security.openstack.org/ossa/OSSA-2026-017.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-46447",
    "datePublished": "2026-06-03T00:00:00.000Z",
    "dateReserved": "2026-05-14T00:00:00.000Z",
    "dateUpdated": "2026-06-15T22:40:19.590Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44917 (GCVE-0-2026-44917)

Vulnerability from cvelistv5 – Published: 2026-06-04 00:00 – Updated: 2026-06-04 13:07
VLAI
Summary
OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
OpenStack Ironic Affected: 17.0.0 , < 26.1.7 (semver)
Affected: 27.0.0 , < 29.0.6 (semver)
Affected: 30.0.0 , < 32.0.2 (semver)
Affected: 33.0.0 , < 35.0.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-04T05:40:39.892Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/03/13"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44917",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T13:07:24.820514Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T13:07:33.838Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ironic",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "26.1.7",
              "status": "affected",
              "version": "17.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "29.0.6",
              "status": "affected",
              "version": "27.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "32.0.2",
              "status": "affected",
              "version": "30.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "35.0.2",
              "status": "affected",
              "version": "33.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.1.7",
                  "versionStartIncluding": "17.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.6",
                  "versionStartIncluding": "27.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "32.0.2",
                  "versionStartIncluding": "30.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "35.0.2",
                  "versionStartIncluding": "33.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T03:36:05.844Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.launchpad.net/ironic/+bug/2148319"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/06/03/13"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-44917",
    "datePublished": "2026-06-04T00:00:00.000Z",
    "dateReserved": "2026-05-08T00:00:00.000Z",
    "dateUpdated": "2026-06-04T13:07:33.838Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44599 (GCVE-0-2026-44599)

Vulnerability from cvelistv5 – Published: 2026-05-07 02:11 – Updated: 2026-05-07 12:48
VLAI
Summary
Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
torproject Tor Affected: 0 , < 0.4.9.7 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44599",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-07T12:47:28.922671Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T12:48:40.800Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Tor",
          "vendor": "torproject",
          "versions": [
            {
              "lessThan": "0.4.9.7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.4.9.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T03:24:37.843Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://forum.torproject.org/c/news/tor-release-announcement/28"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/05/06/8"
        },
        {
          "url": "https://gitlab.torproject.org/tpo/core/tor/-/work_items/41243"
        },
        {
          "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/50f90ba849088247734786922855c22661c6fa03"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-44599",
    "datePublished": "2026-05-07T02:11:56.238Z",
    "dateReserved": "2026-05-07T02:11:55.866Z",
    "dateUpdated": "2026-05-07T12:48:40.800Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42997 (GCVE-0-2026-42997)

Vulnerability from cvelistv5 – Published: 2026-05-05 00:00 – Updated: 2026-07-15 11:49
VLAI
Summary
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
  • CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
Impacted products
Vendor Product Version
OpenStack Ironic Affected: 17.0.0 , < 26.1.6 (semver)
Affected: 27.0.0 , < 29.0.5 (semver)
Affected: 30.0.0 , < 32.0.1 (semver)
Affected: 33.0.0 , < 35.0.1 (semver)
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 16.2     cpe:/a:redhat:openstack:16.2
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 17.1     cpe:/a:redhat:openstack:17.1
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 18.0     cpe:/a:redhat:openstack:18.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42997",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T18:38:38.789483Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T18:38:50.914Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-05T19:32:05.605Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/05/10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "affected",
            "packageName": "openstack-ironic",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openstack:16.2"
            ],
            "defaultStatus": "unaffected",
            "packageName": "openstack-ironic",
            "product": "Red Hat OpenStack Platform 16.2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openstack:17.1"
            ],
            "defaultStatus": "affected",
            "packageName": "openstack-ironic",
            "product": "Red Hat OpenStack Platform 17.1",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openstack:18.0"
            ],
            "defaultStatus": "affected",
            "packageName": "openstack-ironic",
            "product": "Red Hat OpenStack Platform 18.0",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-05T00:00:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in OpenStack Ironic. During the import process, a user invoking molds can request that authorization credentials be sent to a remote endpoint. This can lead to the disclosure of a time-limited Keystone token, which grants access to OpenStack services Ironic is authorized for, or basic credentials configured for molds storage. This information disclosure could allow an attacker to gain unauthorized access to other OpenStack services."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-201",
                "description": "Insertion of Sensitive Information Into Sent Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T11:49:10.674Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-42997"
          },
          {
            "name": "RHBZ#2466844",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466844"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42997.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:39811"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:39811: Red Hat OpenStack Services on OpenShift 18.0"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-05T19:01:17.710Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-05T00:00:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "OpenStack Ironic: OpenStack Ironic: Information disclosure via credential forwarding during mold import",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ironic",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "26.1.6",
              "status": "affected",
              "version": "17.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "29.0.5",
              "status": "affected",
              "version": "27.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "32.0.1",
              "status": "affected",
              "version": "30.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "35.0.1",
              "status": "affected",
              "version": "33.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.1.6",
                  "versionStartIncluding": "17.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.5",
                  "versionStartIncluding": "27.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "32.0.1",
                  "versionStartIncluding": "30.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "35.0.1",
                  "versionStartIncluding": "33.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-06T06:12:45.933Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/05/05/10"
        },
        {
          "url": "https://security.openstack.org/ossa/OSSA-2026-010.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-42997",
    "datePublished": "2026-05-05T00:00:00.000Z",
    "dateReserved": "2026-05-01T00:00:00.000Z",
    "dateUpdated": "2026-07-15T11:49:10.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41525 (GCVE-0-2026-41525)

Vulnerability from cvelistv5 – Published: 2026-04-28 00:00 – Updated: 2026-05-19 05:20
VLAI
Summary
KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
Impacted products
Vendor Product Version
KDE Dolphin Affected: 0 , < 25.12.3 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41525",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-28T13:39:30.204900Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-28T13:44:54.714Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-19T05:20:47.056Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/19/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Dolphin",
          "vendor": "KDE",
          "versions": [
            {
              "lessThan": "25.12.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin\u0027s implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T07:02:46.536Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://invent.kde.org/system/dolphin/"
        },
        {
          "url": "https://github.com/KDE/dolphin/releases/tag/v25.12.3"
        },
        {
          "url": "https://kde.org/info/security/advisory-20260427-2.txt"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-41525",
    "datePublished": "2026-04-28T00:00:00.000Z",
    "dateReserved": "2026-04-20T00:00:00.000Z",
    "dateUpdated": "2026-05-19T05:20:47.056Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.