PYSEC-2026-857

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/nova/PYSEC-2026-857.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-857
Aliases
Published
2026-07-06T08:03:28.481640Z
Modified
2026-07-07T11:45:19.048022475Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
OpenStack Nova can leak consoleauth token into log files
Details

An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py.

References

Affected packages

PyPI / nova

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.2.4
Introduced
19.0.0
Fixed
19.1.0
Introduced
20.0.0
Fixed
20.1.0

Affected versions

15.*
15.1.5
16.*
16.1.6
16.1.7
16.1.8
17.*
17.0.7
17.0.8
17.0.9
17.0.10
17.0.11
17.0.12
17.0.13
18.*
18.0.2
18.0.3
18.1.0
18.2.0
18.2.1
18.2.2
18.2.3
19.*
19.0.0
19.0.1
19.0.2
19.0.3
20.*
20.0.0
20.0.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/nova/PYSEC-2026-857.yaml"