CVE-2026-28370

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in createquery_function in vitrage/graph/query.py.

References

Affected packages

Git / github.com/openstack/vitrage

Affected ranges

Type

GIT

Repo

https://github.com/openstack/vitrage

Events

Introduced

eef6ec9fbc71358db6bcee323029b4234c252602

Fixed

2a35b519eb2d50b5ebcd8dd08650b95ef37dfad4

Introduced

880acca844c5a70609b95e962c0ec7e5c021c2c0

Fixed

8f3fc1eb416656d7d68810eff3cfef7fc9672008

Introduced

28b4803f70921b0290d3491345eea5e3132374dd

Fixed

89df4bd2ffda1a5ddea66cd828438a6a171a3b11

Database specific

{
    "versions": [
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.0.1"
        },
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.0.1"
        },
        {
            "introduced": "15.0.0"
        },
        {
            "fixed": "15.0.1"
        }
    ]
}

Affected versions

13.*

13.0.0

13.0.0.0rc1

14.*

14.0.0

14.0.0.0rc1

15.*

15.0.0

15.0.0.0rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28370.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "12.01"
            }
        ]
    }
]