UBUNTU-CVE-2026-28370
- Source
- https://ubuntu.com/security/CVE-2026-28370
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-28370.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-28370
- Upstream
- Published
- 2026-02-27T05:18:00Z
- Modified
- 2026-03-05T12:29:35Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in createquery_function in vitrage/graph/query.py.
- References
Affected packages
Ubuntu:20.04:LTS / vitrage
Package
- Name
- vitrage
- Purl
- pkg:deb/ubuntu/vitrage@6.0.1-0ubuntu1?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "python3-vitrage"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-api"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-collector"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-common"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-graph"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-ml"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-notifier"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-persistor"
},
{
"binary_version": "6.0.1-0ubuntu1",
"binary_name": "vitrage-snmp-parsing"
}
]
}
Ubuntu:22.04:LTS / vitrage
Package
- Name
- vitrage
- Purl
- pkg:deb/ubuntu/vitrage@8.0.1-0ubuntu1?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
7.*
7.5.0-0ubuntu1
7.5.0+git2021120910.95b33dbf-0ubuntu1
7.5.0+git2022011309.43091cd4-0ubuntu1
7.5.0+git2022011309.43091cd4-0ubuntu2
8.*
8.0.1-0ubuntu1
Ecosystem specific
{
"binaries": [
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "python3-vitrage"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-api"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-collector"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-common"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-graph"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-ml"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-notifier"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-persistor"
},
{
"binary_version": "8.0.1-0ubuntu1",
"binary_name": "vitrage-snmp-parsing"
}
]
}
Ubuntu:24.04:LTS / vitrage
Package
- Name
- vitrage
- Purl
- pkg:deb/ubuntu/vitrage@12.0.0-0ubuntu1?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "python3-vitrage"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-api"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-collector"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-common"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-graph"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-ml"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-notifier"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-persistor"
},
{
"binary_version": "12.0.0-0ubuntu1",
"binary_name": "vitrage-snmp-parsing"
}
]
}
Ubuntu:25.10 / vitrage
Package
- Name
- vitrage
- Purl
- pkg:deb/ubuntu/vitrage@15.0.0-0ubuntu1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "python3-vitrage"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-api"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-collector"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-common"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-graph"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-ml"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-notifier"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-persistor"
},
{
"binary_version": "15.0.0-0ubuntu1",
"binary_name": "vitrage-snmp-parsing"
}
]
}