OSSA-2026-003: Remote code execution through Vitrage query parser

Date:

March 03, 2026

CVE:

CVE-2026-28370

Affects

• Vitrage: <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0

Description

Khalil Lemtaffah (Nokia) reported a vulnerability in the Vitrage query parser. A user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected.

Patches

• https://review.opendev.org/962671 (2023.1/antelope)

• https://review.opendev.org/962713 (2024.1/caracal)

• https://review.opendev.org/962712 (2024.2/dalmatian)

• https://review.opendev.org/962646 (2025.1/epoxy)

• https://review.opendev.org/962658 (2025.2/flamingo)

• https://review.opendev.org/962617 (2026.1/gazpacho)

Credits

• Khalil Lemtaffah from Nokia (CVE-2026-28370)

References

• https://storyboard.openstack.org/#!/story/2011539

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370

Notes

• The stable/2023.1 branch is unmaintained and will receive no new point releases, but a patch for it is provided as a courtesy.