In OpenStack Vitrage versions prior to 12.0.1, 13.0.0, 14.0.0, and 15.0.0, there exists a critical vulnerability in the query parser that allows a user with access to the Vitrage API to execute arbitrary code on the service host. This vulnerability involves the _create_query_function in vitrage/graph/query.py, which can lead to unauthorized access and further compromise of the Vitrage service. As a result, all deployments exposing the Vitrage API are at risk.
The severity of this vulnerability is classified as critical, with a CVSS score of 9.1. The attack vector is classified as network-based, and the attack complexity is low, meaning that it can be exploited easily by attackers. Organizations need to be particularly vigilant, as the vulnerability could enable attackers to gain elevated privileges and access sensitive data.
Given the potential impact, which includes high confidentiality, integrity, and availability implications, organizations should prioritize patching immediately. The urgency in addressing this vulnerability is underscored by the critical nature of the risk it poses.
Currently, no public exploit or proof of concept has been confirmed for this vulnerability, yet the absence of known exploits does not diminish the need for immediate remediation.
Organizations that utilize OpenStack Vitrage must take this vulnerability seriously and implement the necessary patches as soon as they become available. Regular security assessments should be conducted to ensure compliance and mitigate any potential risks associated with vulnerabilities.
Vulnerability Details
The vulnerability identified as CVE-2026-28370 affects OpenStack Vitrage, which is a component of the OpenStack cloud infrastructure. Specifically, this vulnerability is classified under CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). The CVSS 3.1 score of 9.1 indicates a critical severity level, highlighting the need for immediate attention.
The vulnerability was published on February 27, 2026, and has since been modified to reflect ongoing assessments. Organizations should take note that all versions prior to the vendor patch are affected, and they should verify their deployments against the specified versions.
Technical Analysis
The root cause of this vulnerability lies in the improper handling of user inputs in the Vitrage API's query parser. Attackers can leverage this flaw to execute arbitrary code with the privileges of the Vitrage service. The attack vector is network-based, requiring no user interaction, which significantly increases the threat level.
With high privileges required for exploitation, the complexity remains low, making it accessible for attackers who can interact with the Vitrage API. The impacts on confidentiality, integrity, and availability are substantial, as successful exploitation could lead to unauthorized access to sensitive information and critical service disruptions.
Risk & Impact Analysis
The deployment of OpenStack Vitrage exposes organizations to significant risks due to this vulnerability. Potential unauthorized access could lead to a compromise of the entire service, impacting not only the affected system but also any interconnected services. The blast radius of this vulnerability extends across all deployments utilizing the Vitrage API.
Given the critical CVSS score, organizations must assess their exposure and prioritize remediation efforts. The urgency of addressing this vulnerability is paramount to maintaining the security posture and operational integrity of cloud deployments.
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The following versions of OpenStack Vitrage are affected by this vulnerability: all versions prior to 12.0.1, 13.0.0 to 13.0.1, 14.0.0 to 14.0.1, and 15.0.0 to 15.0.1. Organizations should ensure they upgrade to the latest patched version to mitigate the risk.
Mitigation & Remediation
Organizations should prioritize patching the Vitrage API to the latest versions as soon as they become available. In the absence of immediate patches, it is recommended to restrict access to the Vitrage API and implement network segmentation to minimize exposure. Regular security assessments and continuous monitoring should also be established to detect any anomalies.
For further guidance on security assessments, organizations can refer to our application security assessment services.
Detection Guidance
To detect potential exploitation attempts, organizations should monitor logs for unusual API access patterns and any unauthorized changes to service configurations. Behavioral anomalies in user interactions with the Vitrage API should also be investigated promptly.
AppSecure Threat Intelligence Insight
The emergence of CVE-2026-28370 highlights the ongoing need for organizations to maintain robust security practices, particularly as more services are exposed to the internet. Continuous security testing and vulnerability management are essential to prevent unauthorized access and protect sensitive data.
Organizations can enhance their security posture by implementing regular penetration testing to identify and remediate vulnerabilities before they can be exploited. Staying informed on emerging threats is also crucial for developing effective defensive strategies.
For further insights into application security, organizations can explore our resources on vulnerability management programs and effective security practices.
In conclusion, addressing CVE-2026-28370 is critical for organizations using OpenStack Vitrage to safeguard their environments and maintain trust with their users.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)