CVE-2026-54421
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
In OpenStack Ironic before version 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials.
Risk Assessment
The risk involves the potential exposure of sensitive information, which could lead to unauthorized access to resources. Organizations should be aware of the risks associated with the disclosure of credential data.
Recommendation
It is recommended to upgrade OpenStack Ironic to version 37.0.1 or later to mitigate this vulnerability. An audit of access to sensitive information should also be conducted.
Original NVD description (English source)
In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.

