CVE-2026-54423 in Ironicinfo

Summary

by MITRE • 07/10/2026

In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the send_raw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

OpenStack Ironic represents a critical infrastructure component for bare metal provisioning and management within cloud environments, serving as the primary service for deploying and managing physical hardware through automated workflows. The vulnerability under discussion affects versions prior to 37.0.1, where a fundamental flaw exists in the access control mechanisms governing IPMI (Intelligent Platform Management Interface) operations. This security weakness specifically targets users who possess deployment privileges within the Ironic system, creating a significant escalation path that allows malicious actors to circumvent established security boundaries.

The technical flaw manifests through the send_raw step functionality within the IPMI management interface implementation. When users with legitimate deployment permissions execute this step, they can transmit arbitrary IPMI commands directly to target nodes without proper authorization checks. This represents a critical bypass of Ironic's intended access control model where administrative privileges should be strictly enforced. The vulnerability stems from insufficient input validation and authorization verification within the command execution pipeline, allowing privilege escalation through legitimate system interfaces that should normally be restricted to authorized administrators only.

The operational impact of this vulnerability extends beyond simple unauthorized command execution, creating potential risks for critical infrastructure security. An attacker with deployment privileges can leverage this weakness to execute arbitrary IPMI commands such as power control operations, sensor data retrieval, or firmware updates on target systems. This capability enables malicious actors to potentially disrupt services, extract sensitive information from hardware management interfaces, or even compromise physical system integrity through unauthorized firmware modifications. The vulnerability particularly affects environments where Ironic manages critical bare metal infrastructure, including data centers, edge computing deployments, and enterprise server farms where physical security and access control are paramount.

This vulnerability aligns with CWE-284 (Improper Access Control) and represents a specific implementation weakness in the privilege management subsystem of OpenStack Ironic. From an ATT&CK framework perspective, this issue enables techniques such as privilege escalation through legitimate system interfaces and command execution via management protocols. The attack surface expands significantly when considering that IPMI interfaces often provide access to critical system functions including remote power control, sensor monitoring, and hardware diagnostics that can be leveraged for further compromise or denial of service attacks.

Organizations should immediately implement the available patches for OpenStack Ironic version 37.0.1 or later, which address the improper access control mechanism in the send_raw step implementation. Additional mitigations include implementing network segmentation between management interfaces and production systems, enforcing strict role-based access controls within Ironic deployments, and conducting regular security audits of IPMI interface configurations. Security teams should also monitor for unauthorized access attempts to IPMI management interfaces and implement logging mechanisms that track command execution patterns through the send_raw step functionality. The remediation process must include comprehensive testing to ensure that legitimate deployment operations continue to function while eliminating the privilege bypass capability that enables this vulnerability.

Responsible

MITRE

Reservation

06/14/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!