Critical RCE Vulnerability Discovered in OpenStack Vitrage Root Cause Analysis Service
Ddos 
Security researcher Khalil Lemtaffah from Nokia has identified a critical remote code execution (RCE) vulnerability in OpenStack Vitrage, the platform’s dedicated Root Cause Analysis (RCA) service. The flaw, tracked as CVE-2026-28370, carries a critical-severity CVSS score of 9.1 and could allow an attacker to gain full control over the Vitrage service host.
OpenStack Vitrage is essential for cloud administrators, as it organizes and analyzes alarms and events to deduce the root causes of system problems before they are even detected by standard monitors.
The security hole exists within the Vitrage query parser, specifically in the _create_query_function located in vitrage/graph/query.py. Any user with legitimate access to the Vitrage API can manipulate the query parser to trigger arbitrary code execution on the service host.
The code executes with the same privileges as the Vitrage service itself. This leads to unauthorized host access and a complete compromise of the RCA service, potentially blinding administrators to other issues within the cloud infrastructure. According to the security advisory, “all deployments exposing the Vitrage API are affected”.
The vulnerability impacts multiple releases of OpenStack Vitrage:
- Versions prior to 12.0.1
- Version 13.0.0
- Version 14.0.0
- Version 15.0.0
The OpenStack security team has moved rapidly to release patches across various active branches, from “Antelope” to the most recent “Gazpacho”.
While the stable/2023.1 branch is technically unmaintained and will not receive further point releases, the security team has provided a patch for it as a courtesy due to the severity of this issue.
Administrators are urged to apply these updates immediately to secure their Vitrage API endpoints and protect the underlying host infrastructure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
