Bug 2494664 (CVE-2026-44918)

Summary: CVE-2026-44918 openstack-ironic: Prevent rehoming resources to nodes with different owner
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: eglynn, jjoyce, jpretori, jschluet, lhh, mburns, mgarciac, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in OpenStack Ironic. An authenticated project manager can change the node associated with Volume Connectors or Volume Target objects, potentially changing the project permitted to access the object. Volume Connectors contain secrets in environments configuring boot from volume with iSCSI volumes. Additionally, a project manager with the ability to create nodes can use the UUID of a node not owned by their project as a parent node when creating a new node. This mismatched child node can then be used to impact operations on the parent, such as forcing it to power on.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-07-08   

Description Marco Benatto 2026-06-29 20:49:20 UTC
An authenticated project manager can change the node associated with Volume Connectors or Volume Target objects, potentially changing the project permitted to access the object. Volume Connectors contain secrets in environments configuring boot from volume with iSCSI volumes. This is tracked as bug #2150256.