DEBIAN-CVE-2026-28370

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-28370

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28370.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-28370

Upstream

CVE-2026-28370

Published

2026-02-27T05:18:20.757Z

Modified

2026-03-01T22:08:39.510166Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in createquery_function in vitrage/graph/query.py.

References

https://security-tracker.debian.org/tracker/CVE-2026-28370

Affected packages

Debian:11 / vitrage

Package

Name: vitrage
Purl: pkg:deb/debian/vitrage?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.3.0-2

7.4.0-1

7.4.0-2

7.5.0-1

7.5.0-2

8.*

8.0.0-1

8.0.1-1

9.*

9.0.0-1

9.0.0-2

9.0.0-3

9.0.0-3.1

10.*

10.0.0~rc1-1

10.0.0-1

10.0.0-2

11.*

11.0.0~rc1-1

11.0.0~rc1-2

11.0.0-1

11.0.0-2

12.*

12.0.0~rc1-1

12.0.0~rc1-2

12.0.0-1

13.*

13.0.0~rc1-1

13.0.0~rc1-2

13.0.0-1

13.0.0-2

13.0.0-3

13.0.0-4

13.0.0-5

13.0.0-6

14.*

14.0.0~rc1-1

14.0.0~rc1-2

14.0.0-1

14.0.0-2

14.0.0-3

14.0.0-4

15.*

15.0.0~rc1-1

15.0.0~rc1-2

15.0.0-1

15.0.1-1

15.0.1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28370.json"

Debian:12 / vitrage

Package

Name: vitrage
Purl: pkg:deb/debian/vitrage?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.0-3.1

10.*

10.0.0~rc1-1

10.0.0-1

10.0.0-2

11.*

11.0.0~rc1-1

11.0.0~rc1-2

11.0.0-1

11.0.0-2

12.*

12.0.0~rc1-1

12.0.0~rc1-2

12.0.0-1

13.*

13.0.0~rc1-1

13.0.0~rc1-2

13.0.0-1

13.0.0-2

13.0.0-3

13.0.0-4

13.0.0-5

13.0.0-6

14.*

14.0.0~rc1-1

14.0.0~rc1-2

14.0.0-1

14.0.0-2

14.0.0-3

14.0.0-4

15.*

15.0.0~rc1-1

15.0.0~rc1-2

15.0.0-1

15.0.1-1

15.0.1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28370.json"

Debian:13 / vitrage

Package

Name: vitrage
Purl: pkg:deb/debian/vitrage?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

14.*

14.0.0-4

15.*

15.0.0~rc1-1

15.0.0~rc1-2

15.0.0-1

15.0.1-1

15.0.1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28370.json"

Debian:14 / vitrage

Package

Name: vitrage
Purl: pkg:deb/debian/vitrage?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.0.1-1

Affected versions

14.*

14.0.0-4

15.*

15.0.0~rc1-1

15.0.0~rc1-2

15.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28370.json"