CVE-2026-54421: 
Linux Debian Analyse et atténuation des vulnérabilités

CVE-2026-54421 is a sensitive information disclosure vulnerability in OpenStack Ironic affecting versions through 35.0.1. When a privileged user applies a PATCH request to update fields in volume properties they are authorized for, Ironic may return unredacted sensitive information — such as iSCSI credentials — in the API response. The vulnerability was published on June 14, 2026, and carries a CVSS v3.1 base score of 6.8 (Medium) (GitHub Advisory). Notably, only the PATCH operation is affected; the POST operation does not exhibit this behavior (GitHub Advisory).

The root cause is classified as CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer), meaning Ironic fails to properly redact sensitive fields before returning API responses to the caller (GitHub Advisory). An authenticated attacker with high-level privileges (administrator or equivalent) can send a PATCH request to a volume properties endpoint and receive unredacted credentials — such as iSCSI usernames and passwords — in the response body that should have been masked. The attack is network-based, requires no user interaction, and has low complexity once the attacker holds the necessary privileges. The bug is tracked upstream at the OpenStack Launchpad bug tracker (GitHub Advisory).

Successful exploitation results in the disclosure of sensitive storage credentials, specifically iSCSI authentication data, to an already-privileged user who should not have access to unredacted values. While integrity and availability are not directly affected, the exposed credentials could be leveraged to access backend storage systems, potentially enabling lateral movement to storage infrastructure or other workloads sharing the same iSCSI targets. The scope is marked as "Changed" in the CVSS scoring, reflecting that the impact extends beyond the Ironic API component itself to the underlying storage systems whose credentials are exposed (GitHub Advisory).

1. Authenticate: Obtain administrator-level credentials or an API token for the OpenStack Ironic API.
2. Identify target node: Enumerate Ironic nodes with attached volume connectors or volume targets using a GET request to /v1/nodes or /v1/volume/targets.
3. Send PATCH request: Issue a PATCH request to a volume properties endpoint (e.g., /v1/volume/targets/{target_uuid}) updating one or more fields the user is authorized to modify.
4. Capture response: Inspect the API response body for unredacted sensitive fields such as iSCSI CHAP credentials (chap_secret, chap_username, or equivalent fields) that should have been masked.
5. Leverage credentials: Use the exposed iSCSI credentials to authenticate directly to the backend storage target, potentially gaining unauthorized access to storage volumes or data belonging to other tenants or workloads (GitHub Advisory).

• Logs: Ironic API access logs showing PATCH requests to /v1/volume/targets/{uuid} or similar volume property endpoints from unexpected source IPs or at unusual times.
• Logs: Repeated PATCH requests to volume endpoints by accounts that do not normally perform such operations, potentially indicating credential harvesting attempts.
• Network: Unexpected iSCSI authentication attempts to storage targets from hosts not previously associated with those targets, which may indicate use of harvested credentials.
• Logs: Ironic API logs showing successful PATCH responses (HTTP 200) to volume target endpoints followed shortly by iSCSI login events on storage infrastructure.

Users should upgrade OpenStack Ironic to a version newer than 35.0.1 once a patched release is available. As an interim workaround, restrict PATCH access to volume properties endpoints to only the minimum set of administrators who absolutely require it, using OpenStack policy (policy.yaml) to tighten role-based access controls. Additionally, monitor API access logs for suspicious PATCH requests to volume target endpoints and audit which accounts hold roles permitting such operations (GitHub Advisory).

The vulnerability received brief automated coverage across CVE aggregation platforms and security feeds shortly after publication on June 14, 2026. Social media mentions were observed on Bluesky and Mastodon (infosec.exchange) via automated CVE notification accounts. No significant vendor statements, named researcher commentary, or major media coverage has been identified beyond standard advisory distribution (GitHub Advisory).