CVE-2026-46448
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
A vulnerability in OpenStack Nova before version 33.0.2 allows bypassing Placement allocation during instance creation via the API. The server does not strip certain hint data, resulting in no Placement allocation for the instance.
Risk Assessment
Lack of Placement allocation can lead to uncontrolled resource allocation, potentially causing overload of physical nodes and destabilization of the cloud environment.
Recommendation
It is recommended to immediately upgrade OpenStack Nova to version 33.0.2 or later, which fixes this vulnerability.
Original NVD description (English source)
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.

