PYSEC-2026-2414

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/cinder/PYSEC-2026-2414.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2414
Aliases
Published
2026-07-13T14:36:32.272616Z
Modified
2026-07-13T16:43:17.725861996Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access
Details

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

References

Affected packages

PyPI / cinder

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
24.0.0

Affected versions

10.*
10.0.8
11.*
11.2.0
11.2.1
11.2.2
12.*
12.0.4
12.0.5
12.0.6
12.0.7
12.0.8
12.0.9
12.0.10
13.*
13.0.1
13.0.2
13.0.3
13.0.4
13.0.5
13.0.6
13.0.7
13.0.8
13.0.9
14.*
14.0.0.0rc1
14.0.0.0rc2
14.0.0
14.0.1
14.0.2
14.0.3
14.0.4
14.1.0
14.2.0
14.2.1
14.3.0
14.3.1
15.*
15.0.0.0rc1
15.0.0.0rc2
15.0.0
15.0.1
15.1.0
15.2.0
15.3.0
15.4.0
15.4.1
15.5.0
15.6.0
16.*
16.0.0.0b1
16.0.0.0rc1
16.0.0.0rc2
16.0.0.0rc3
16.0.0
16.1.0
16.2.0
16.2.1
16.3.0
16.4.0
16.4.1
16.4.2
17.*
17.0.0.0rc1
17.0.0.0rc2
17.0.0
17.0.1
17.1.0
17.2.0
17.3.0
17.4.0
18.*
18.0.0.0b1
18.0.0.0rc1
18.0.0.0rc2
18.0.0
18.1.0
18.2.0
18.2.1
19.*
19.0.0.0b1
19.0.0.0rc1
19.0.0.0rc2
19.0.0
19.1.0
19.1.1
19.2.0
19.3.0
20.*
20.0.0.0rc1
20.0.0.0rc2
20.0.0
20.0.1
20.1.0
20.2.0
20.3.0
20.3.1
20.3.2
21.*
21.0.0.0rc2
21.0.0
21.1.0
21.2.0
21.3.0
21.3.1
21.3.2
22.*
22.0.0.0rc1
22.0.0.0rc2
22.0.0
22.1.0
22.1.1
22.1.2
22.2.0
22.3.0
23.*
23.0.0.0rc1
23.0.0.0rc2
23.0.0
23.1.0
23.2.0
23.3.0
23.4.0
23.5.0
24.*
24.0.0.0rc1
24.0.0.0rc2
24.0.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/cinder/PYSEC-2026-2414.yaml"