CVE-2026-54421 | In OpenStack Ironic through 35.0.1, when applying a PATCH to… | CVSS 6.8 MEDIUM

Description

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.

Metadata

CVE ID: CVE-2026-54421
State: PUBLISHED
Assigner: mitre
Reserved: 2026-06-14 03:49 UTC
Published: 2026-06-14 03:49 UTC
Last updated: 2026-06-14 03:49 UTC
Primary CWE: CWE-212
CWE-212 Improper Removal of Sensitive Information Before Sto…
Vendor / Product: OpenStack / Ironic
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
OpenStack	Ironic	—	0 ≤ 35.0.1

Weakness (CWE)

CWE	Source	Description
CWE-212	cna	CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

References (1)

https://bugs.launchpad.net/ironic/+bug/2155049