CVE-2026-42997
Published: 05 May 2026
Summary
CVE-2026-42997 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Openstack (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-20 (Use of External Systems) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to control the flow of sensitive Keystone tokens and credentials, preventing their unauthorized transfer to user-controlled remote endpoints during molds import.
Validates user-supplied remote endpoint inputs in the molds import process to block malicious URLs that could receive forwarded credentials.
Requires authorization and controls for information flows to external systems, mitigating the forwarding of service credentials to attacker-specified remote endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables an attacker to force forwarding of Keystone tokens/basic credentials to a remote endpoint (T1528: Steal Application Access Token and T1552: Unsecured Credentials); captured tokens then allow use of valid cloud accounts across OpenStack services (T1078.004).
NVD Description
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all…
more
OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
Deeper analysisAI
CVE-2026-42997 affects the iDRAC component in OpenStack Ironic versions before 35.0.1. The vulnerability arises during the import process when a user invoking molds can request that authorization credentials be forwarded to a remote endpoint under their control. These credentials include either a time-limited Keystone token, which grants access to all OpenStack services that Ironic is authorized for, or basic credentials configured for molds storage. The issue is classified under CWE-669 and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
A low-privileged user (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By specifying a malicious remote endpoint during molds import, the attacker receives the sensitive credentials, enabling high confidentiality impact (C:H) in a scoped context (S:C). This could allow the attacker to leverage the Keystone token for unauthorized access across authorized OpenStack services or use the basic credentials for molds storage.
OpenStack Security Advisory OSSA-2026-010 addresses the vulnerability, with fixes released in OpenStack Ironic versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. Security practitioners should upgrade to these versions to mitigate the issue. Further technical details are provided in the oss-security mailing list announcements at the referenced URLs.
Details
- CWE(s)