#1138843 CVE-2026-41283 OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution #1138843
- Package:
- src:mistral
- Source:
- src:mistral
- Submitter:
- Thomas Goirand
- Date:
- 2026-06-09 22:13:04 UTC
- Severity:
- normal
- Tags:
Mistral is affected by CVE-2026-41283 Copying content of: https://security.openstack.org/ossa/OSSA-2026-020.html Date: June 03, 2026 CVE: CVE-2026-41283 Affects: Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0 Note from package maintainer: All versions from Bullseye to Trixie Description: Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that several Mistral API endpoints do not enforce access policies, allowing any authenticated user to create public resources and upload arbitrary code that executes on Mistral executor workers. An attacker could extract sensitive data including service credentials from the worker. Deployments exposing the Mistral API are affected. Patches: https://review.opendev.org/991416 (2025.1/epoxy) https://review.opendev.org/991417 (2025.1/epoxy) https://review.opendev.org/991418 (2025.1/epoxy) https://review.opendev.org/991419 (2025.1/epoxy) https://review.opendev.org/991420 (2025.1/epoxy) https://review.opendev.org/991421 (2025.1/epoxy) https://review.opendev.org/991422 (2025.1/epoxy) https://review.opendev.org/991423 (2025.1/epoxy) https://review.opendev.org/991408 (2025.2/flamingo) https://review.opendev.org/991409 (2025.2/flamingo) https://review.opendev.org/991410 (2025.2/flamingo) https://review.opendev.org/991411 (2025.2/flamingo) https://review.opendev.org/991412 (2025.2/flamingo) https://review.opendev.org/991413 (2025.2/flamingo) https://review.opendev.org/991414 (2025.2/flamingo) https://review.opendev.org/991415 (2025.2/flamingo) https://review.opendev.org/991400 (2026.1/gazpacho) https://review.opendev.org/991401 (2026.1/gazpacho) https://review.opendev.org/991402 (2026.1/gazpacho) https://review.opendev.org/991403 (2026.1/gazpacho) https://review.opendev.org/991404 (2026.1/gazpacho) https://review.opendev.org/991405 (2026.1/gazpacho) https://review.opendev.org/991406 (2026.1/gazpacho) https://review.opendev.org/991407 (2026.1/gazpacho) https://review.opendev.org/991392 (2026.2/hibiscus) https://review.opendev.org/991393 (2026.2/hibiscus) https://review.opendev.org/991394 (2026.2/hibiscus) https://review.opendev.org/991395 (2026.2/hibiscus) https://review.opendev.org/991396 (2026.2/hibiscus) https://review.opendev.org/991397 (2026.2/hibiscus) https://review.opendev.org/991398 (2026.2/hibiscus) https://review.opendev.org/991399 (2026.2/hibiscus) Credits: Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283) Arnaud Morin from OVHcloud (CVE-2026-41283) References: https://launchpad.net/bugs/2147178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41283
Hello, Bug #1138843 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/f099ea914e9c8a69ec57ed17785686d9db228916 ------------------------------------------------------------------------ (Closes: #1138843) ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138843
Hello, Bug #1138843 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/d5c19aba335e6b6ff8d525024d7eeb636383f3aa ------------------------------------------------------------------------ (Closes: #1138843) ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138843
Hello, Bug #1138843 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/7ee6c428ffe8feb7351d6c4b9136488dfdba3c61 ------------------------------------------------------------------------ (Closes: #1138843) ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138843
We believe that the bug you reported is fixed in the latest version of
mistral, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated mistral package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 17:18:35 +0200
Source: mistral
Architecture: source
Version: 20.0.0-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138843 1138849
Changes:
mistral (20.0.0-2+deb13u1) trixie-security; urgency=medium
.
* CVE-2026-41283: Mistral policy enforcement bypass allows unauthorized
public resource creation and arbitrary code execution. Applied upstream
patches:
- Restrict publicize policies to admin only
- Remove unnecessary expect_errors=True from policy tests
- Add code_sources publicize policy and enforcement
- Restrict code_sources and dynamic_actions policies to
- Add dynamic_actions publicize policy and enforcement
- Add workbooks publicize policy and enforcement
- Add cron_triggers publicize policy and enforcement
- Add environments publicize policy and enforcement
(Closes: #1138843)
* OSSN-0098: Mistral workflow execution context exposes Keystone auth token.
Applied upstream patch: "Strip sensitive info from workflow execution
context" (Closes: #1138849).
Checksums-Sha1:
f5b854625f9fd69baa1693184ebdd6df39d8f555 3536 mistral_20.0.0-2+deb13u1.dsc
d521ec7e7ace2409de2c97c3cccf67f2f91b67e5 1013184 mistral_20.0.0.orig.tar.xz
1578f0956734337f30a22803d8c6a83d12c10ef9 21228 mistral_20.0.0-2+deb13u1.debian.tar.xz
a47693c653c0ce23b84d9441dc6624cdabec930e 17628 mistral_20.0.0-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
2b37fb33e6f944361d7d0de72c4df31b69ec930d4cfceff6d5e8756549ca3b68 3536 mistral_20.0.0-2+deb13u1.dsc
2c8368e56b9038a8f1b1c75440168a95bf389b9080d923c07fac8f4e4121a1a3 1013184 mistral_20.0.0.orig.tar.xz
442b30306097bc93d48c696d94142f3b580d03a11e6a3d0fed3c47c8587bc228 21228 mistral_20.0.0-2+deb13u1.debian.tar.xz
4c5bef8000bdc6bb942a86a1d614b4be08eb1a75f36c547b47be0d6cf25ae52d 17628 mistral_20.0.0-2+deb13u1_amd64.buildinfo
Files:
64ce16f1e983d06c616f152136efd9bf 3536 net optional mistral_20.0.0-2+deb13u1.dsc
83adc2526c2c78db6d680ec05e032186 1013184 net optional mistral_20.0.0.orig.tar.xz
64d9fb6430c1990ee45b8fd098da6c9a 21228 net optional mistral_20.0.0-2+deb13u1.debian.tar.xz
33ecac5579e813857058b178f4b87ac1 17628 net optional mistral_20.0.0-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmolmwAACgkQ1BatFaxr
Q/56pQ/+OzwfZPl56nUwaY+rlbxif00xjHuX4zinCqKikalNx3PhGQsz//w8Tbzs
SGDLlwcz7Fj9VSDouEooYu5iz7WZ7gh8lscVxV7W4llV7Fo0GW3diLYi/mFDz9OC
bz+kg3fqYdk/NKyxEu+Hen+sykaLu+CuDCXpsQYP4JnZQINVGP+dgqYfHD7tzauY
8lWpnnOt4m4JxilSx7dE7jqMF2BpNC+Y/QRODtLSw2+vwqmqpHh1JWN4Cf14D8ZQ
Kpn1Ne4sE0u8TCeKEvvffdQWsjap6dISaPWDsXpL7kFo4JgfBATOafjoSMpbWZjP
PuW7U5fwVV59y5PC+AMF8zFdmTye+P5WwKD8O5W3CyJRTMSplrx84IUrFRbzXjqA
kOGP8loitun+3yELbchi04Xv5d1SLAUhGKMClk2Be95MLqacz9DkmV/CXy7KpiuA
6i691QlzbmLMQ9t50/JJH8UwU/Xf0J56Ra051r6RBa15WJsgvL+GnySr0X/vgCYK
TReNsmHiYT0Ls7LG4gWrn1GHVQe6Taavka1lD5/iqi7b9nVA3ybkenrjk9g7tffG
yHby+HKonrV7Q540vE0cz+8HiDODBITONz4w4uIf361rfDmY7rNgncfYksCkHgci
OP6jsDR2UHgJWvD942xVw4Yzj6/czrSSSBxsCAsOFY0lp6IcFic=
=mn94
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
mistral, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated mistral package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 17:20:47 +0200
Source: mistral
Architecture: source
Version: 15.0.0-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138843
Changes:
mistral (15.0.0-1+deb12u1) bookworm-security; urgency=medium
.
* CVE-2026-41283: Mistral policy enforcement bypass allows unauthorized
public resource creation and arbitrary code execution. Applied upstream
patches:
- Restrict publicize policies to admin only
- Remove unnecessary expect_errors=True from policy tests
- Add code_sources publicize policy and enforcement
- Restrict code_sources and dynamic_actions policies to
- Add dynamic_actions publicize policy and enforcement
- Add workbooks publicize policy and enforcement
- Add cron_triggers publicize policy and enforcement
- Add environments publicize policy and enforcement
(Closes: #1138843)
Checksums-Sha1:
9a1a3500d435d21b3cd9612cf64e9df3b0a10a2c 3571 mistral_15.0.0-1+deb12u1.dsc
2e574a10bed1eba6811f0d531aa5d47380d1332c 1005320 mistral_15.0.0.orig.tar.xz
4f1f46f2c93c946ec3201c6e84b15d946802adbc 17592 mistral_15.0.0-1+deb12u1.debian.tar.xz
1ad8a8afeeb22db6be8d052bc43911b01798e927 17572 mistral_15.0.0-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
ead362e407b079b18bb723c9bccff0c5300e9f9ae38549170750e7335dbee8de 3571 mistral_15.0.0-1+deb12u1.dsc
5d684a6b5cc59c5e399e0998f2f4433e1994ebd313d38b94284c50940a1a15b1 1005320 mistral_15.0.0.orig.tar.xz
89799529e9aa45b772b09c5bb0e6729f42e0471f21d604b391bef727acf988c5 17592 mistral_15.0.0-1+deb12u1.debian.tar.xz
2cbf6f1f4cae1ba445b55d4df50c2d3ee5e2f1e245f795864810dae880449dc1 17572 mistral_15.0.0-1+deb12u1_amd64.buildinfo
Files:
7b4b207b807e8a855022efeb4cde603b 3571 net optional mistral_15.0.0-1+deb12u1.dsc
7bba444c9137f3b4f7c11cf4f7cdadc8 1005320 net optional mistral_15.0.0.orig.tar.xz
7fbd9c1cf39ded395a334db8ddb4c753 17592 net optional mistral_15.0.0-1+deb12u1.debian.tar.xz
afa53967b36cd0ab836e73a436eaf542 17572 net optional mistral_15.0.0-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmonSjEACgkQ1BatFaxr
Q/7Ufg/9HkLvF/KZAEBMutBDR3tDfPQzO5/RPJdbsBk3RpIlVmBx3IKeHxQ3p6/P
9KffaevalOKoKFkxxF2XV/MKzggahk9pXcLXbLXIU1K7JVfDBTRB5fsGWqpDPZ51
yq/by5Ein9PiRit0MYXYT5CABXZA72RUctYJK9TTcmXjfq5LkqkYtrzPGt7mTGwT
R3jfU+02YU3Gvb0n5nsUBIlm6XncJJ/ZpqObjpZJK0MBKGsLyHPcsv6slOQ1S5G4
R2qG403CE0V3jG8FD+HOoI7u/X0TuGoCusM4MGPMbBDhEGgpExnxD2kL7ezZ6DRc
kTNbcE1YpRai4Ry2a9jNwWEgOvDrG5CxSAO1JOHGdVPuPbGUkKvmJPHzpt1d40sv
AwALGPm8Xg4QJozpw9kLd7WOO4wjrOkG1ofGqzVdKSxVVpRmKdAd91sUOUya7N8T
t4FkEasma5vFzrCnI3YPx5rTqO6wj5MjhdZ9fGOwk5qlaj56l76oIQQvEBo6Bbpp
wFF/s4rMt1e1GKOYjfqRUxtEnDVcF4vSaboPL8x2BpqiLg8LncWSbYrNX2F62sqf
s6VMdLdDOQZm4cjQvc0lsov/imLin7S0xi/qc0Unt4771ZeVh/Trt63dKA3RRKLh
qpQkCZ4WEQsyGSUphJVlDplIgCZKrKwXUfsUE5+6PTqsWxk7nro=
=rMkh
-----END PGP SIGNATURE-----