A path traversal vulnerability in OpenStack Ironic, the bare metal provisioning service, tracked as CVE-2026-48681, allows an attacker to overwrite arbitrary files during deployment by supplying a crafted ISO image. The vulnerability affects Ironic through version 35.0.1 and is fixed in versions 26.1.7, 29.0.6, 32.0.2, and 35.0.2 across the respective release branches.
What Is the Vulnerability?
CVE-2026-48681 is a directory traversal vulnerability (CWE-23) in OpenStack Ironic’s ISO image handling during bare metal server deployment. When Ironic processes a deployment request with an ISO image, a crafted image can exploit insufficient path sanitisation to write files outside the intended deployment directory. This allows an attacker who can supply a deployment image — either as a cloud tenant or through a compromised user account — to overwrite files on the Ironic conductor node, potentially compromising the bare metal provisioning infrastructure.
OpenStack Ironic is the bare metal provisioning component of OpenStack clouds, used to deploy operating systems onto physical servers. The Ironic conductor is a privileged component that manages physical hardware — compromising it can give an attacker control over the provisioning of new servers, access to deployment credentials, and the ability to manipulate the boot process of physical infrastructure.
- CVSS v3.1 Score: 5.9 (Medium)
- CWE: CWE-23 (Relative Path Traversal)
- Attack Vector: Network — requires ability to supply a crafted ISO image
Which Versions Are Affected?
All OpenStack Ironic release branches prior to the fixed versions:
- Ironic 26.x: versions prior to 26.1.7
- Ironic 29.x: versions prior to 29.0.6
- Ironic 32.x: versions prior to 32.0.2
- Ironic 35.x: versions prior to 35.0.2
Is It Being Exploited in the Wild?
No active exploitation has been publicly reported. However, the vulnerability was published on June 5, 2026 with full technical details.
What Is the Fix?
Update OpenStack Ironic to the patched version for your release branch. The fix implements proper path sanitisation for ISO image contents during deployment. For containerised OpenStack deployments (Kolla, OpenStack-Helm), update the Ironic container images.
Recommendations
Update Ironic on all OpenStack control planes. While the CVSS score is moderate, the Ironic conductor’s privileged position in managing physical hardware makes any file write vulnerability worth addressing promptly.
Restrict ISO image sources. Only allow deployment images from trusted, internally managed image repositories. Implement image signing and verification for deployment images.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026.
