Command Injection in Ironic IPMI Console Implementations

56% confidence

Description

A project manager in Ironic can inject arbitrary commands executed by the conductor during IPMI console activation in specific console backends. Vulnerable configurations require explicit enabling of 'ipmitool-shellinabox' or 'ipmitool-socat' interfaces.

Affected Products

Vendor	Product	Versions
openstack	ironic	>=4.3.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1

Related News (1 articles)

Tier C

oss-security3h ago

[OSSA-2026-008] Ironic: Command Injection in IPMI Console Implementations (CVE pending)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-78

PublishedApr 27, 2026

Last enriched2h ago

Community Vote

0 upvotes0 downvotes

No votes yet

Command Injection in Ironic IPMI Console Implementations

Description

Affected Products

Related News (1 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline