CVE-2026-28370 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: February 27, 2026
OpenStack Vitrage - Remote Code Execution
Overview
OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0 contains a remote code execution caused by unsafe query parsing in _create_query_function, letting users with Vitrage API access execute code as the service user.
Severity & Score
Impact
Users with Vitrage API access can execute code on the host, potentially leading to full service compromise and unauthorized host access.
Mitigation
Upgrade to versions 12.0.1, 13.0.0, 14.0.0, 15.0.0 or later.
References
Social Media Activity(2 posts)
ā ļø CRITICAL: CVE-2026-28370 in OpenStack Vitrage (CVSS 9.1) enables authenticated RCE via eval injection in query parser. Upgrade to fixed versions, restrict API access, and monitor logs. Affects 0, 13.0.0, 14.0.0, 15.0.0. Details: https://radar.offseq.com/threat/cve-2026-28370-cwe-95-improper-neutralization-of-d-e403f347 #OffSeq #OpenStack #Vuln
View original post
š“ CVE-2026-28370 - Critical (9.1) In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unau... š https://www.thehackerwire.com/vulnerability/CVE-2026-28370/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-28370
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- undefined
- Status
- confirmed
- EPSS
- 7.6%
- Social Posts
- 2
CWE
- CWE-95
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H