PYSEC-2026-754

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/tripleo-heat-templates/PYSEC-2026-754.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-754
Aliases
Published
2026-07-02T14:13:24.276345Z
Modified
2026-07-06T08:00:52.801467491Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Openstack tripleo-heat-templates unauthenticated file access
Details

A resource-permission flaw was found in the tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions 7.0.6 and 8.0.0.

References

Affected packages

PyPI / tripleo-heat-templates

Package

Name
tripleo-heat-templates
View open source insights on deps.dev
Purl
pkg:pypi/tripleo-heat-templates

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.0.6

Affected versions

0.*
0.5.6
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.8.12
0.8.13
0.8.14
2.*
2.0.0
2.1.0
2.2.0
5.*
5.0.0.0b1
5.0.0.0b2
5.0.0.0b3
5.0.0.0rc1
5.0.0.0rc2
5.0.0.0rc3
5.0.0
5.1.0
5.2.0
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
6.*
6.0.0.0b1
6.0.0.0b2
6.0.0.0rc1
6.0.0.0rc2
6.0.0
6.1.0
6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.2.8
6.2.9
6.2.10
6.2.11
6.2.12
6.2.13
6.2.14
6.2.15
6.2.16
7.*
7.0.0.0b1
7.0.0.0b2
7.0.0.0b3
7.0.0.0rc1
7.0.0.0rc2
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/tripleo-heat-templates/PYSEC-2026-754.yaml"