CVE-2026-28370
Published: 27 February 2026
Summary
CVE-2026-28370 is a critical-severity Eval Injection (CWE-95) vulnerability in Openstack Vitrage. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching OpenStack Vitrage to fixed versions (12.0.1, 13.0.0, 14.0.0, or 15.0.0) directly eliminates the code injection vulnerability in the query parser.
Information input validation on Vitrage API queries prevents malicious code injection by ensuring only valid, non-malicious query constructs reach the flawed _create_query_function parser.
Least privilege enforcement for the Vitrage service process restricts the scope of unauthorized code execution triggered by high-privilege API users, limiting host compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection in exposed Vitrage API directly enables T1190 (public-facing app exploitation) leading to arbitrary Python code execution (T1059.006) on the host and potential privilege escalation (T1068) due to scope change and host access.
NVD Description
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may…
more
result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
Deeper analysisAI
CVE-2026-28370 is a code injection vulnerability (CWE-95) in the query parser of OpenStack Vitrage versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. It affects the _create_query_function method in vitrage/graph/query.py, where a user with access to the Vitrage API can trigger arbitrary code execution on the Vitrage service host. All deployments exposing the Vitrage API are vulnerable, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An authenticated user with high privileges (PR:H) who can access the Vitrage API over the network can exploit this flaw with low complexity and no user interaction required. Successful exploitation executes code on the Vitrage service host under the privileges of the service's running user, potentially granting unauthorized access to the host system and enabling further compromise of the Vitrage service itself.
Advisories recommend upgrading to OpenStack Vitrage 12.0.1, 13.0.0, 14.0.0, or 15.0.0, where the vulnerability is addressed. Additional details are available in the OpenStack storyboard at https://storyboard.openstack.org/#!/story/2011539, the OSS-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/03/6, and the affected code at https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70.
Details
- CWE(s)