Zero Day MonitorZDM

← Back to list

5.0

CVE-2026-34881PATCHED

python packaging authority · glance

OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to

Description

OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.

Affected Products

Vendor	Product	Versions
python packaging authority	glance	pip/glance: < 29.2.0, pip/glance: >= 30.0.0, < 30.2.0, pip/glance: = 31.0.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
pip	glance	GHSA	85%

References

CVSS 3.15.0 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

glance@29.2.0glance@30.2.0glance@31.1.0

CWECWE-918

PublishedMar 31, 2026

Last enriched7h ago

Trending Score0

Source articles0

Independent0

Info Completeness5/14

Missing: vendor, product, versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-32794

Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-

CRITICALCVE-2026-34935

PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()

CRITICALCVE-2026-34934

PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`

HIGHCVE-2026-34936

PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

MEDIUMCVE-2026-34939

PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Patch Available

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026