Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.1

OpenStack Vitrage: Unauthorized Access to Host via API

CVE-2026-28370 GHSA-8xwf-cr4r-856r
Summary

A security issue in OpenStack Vitrage allows an attacker with Vitrage API access to potentially access the host where Vitrage is running, which could lead to further security problems. This affects all deployments that expose the Vitrage API. To protect your system, update Vitrage to the latest version to fix this issue.

What to do
  • Update vitrage to version 15.0.1.
  • Update vitrage to version 14.0.1.
  • Update vitrage to version 13.0.1.
  • Update vitrage to version 12.0.1.
Affected software
VendorProductAffected versionsFix available
vitrage > 15.0.0.0rc1 , <= 15.0.1 15.0.1
vitrage > 14.0.0.0rc1 , <= 14.0.1 14.0.1
vitrage > 13.0.0.0rc1 , <= 13.0.1 13.0.1
vitrage <= 12.0.1 12.0.1
openstack vitrage <= 12.01
openstack vitrage > 13.0.0 , <= 13.0.1
openstack vitrage > 14.0.0 , <= 14.0.1
openstack vitrage > 15.0.0 , <= 15.0.1
Original title
OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection
Original description
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
nvd CVSS3.1 9.1
Vulnerability type
CWE-95
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026