Home / Vulnerability Intelligence / CVE-2026-28370

CVE-2026-28370 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: February 27, 2026

OpenStack Vitrage - Remote Code Execution

Published: February 27, 2026Updated: February 27, 2026Remote Exploitable

Overview

OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0 contains a remote code execution caused by unsafe query parsing in _create_query_function, letting users with Vitrage API access execute code as the service user.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Users with Vitrage API access can execute code on the host, potentially leading to full service compromise and unauthorized host access.

Mitigation

Upgrade to versions 12.0.1, 13.0.0, 14.0.0, 15.0.0 or later.

References

https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70
https://storyboard.openstack.org/#%21/story/2011539

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28370
Severity: Critical
CVSS Score: 9.1
Type: undefined
Status: new

CWE

CWE-95

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H