- Package:
- src:mistral
- Source:
- src:mistral
- Submitter:
- Thomas Goirand
- Date:
- 2026-06-09 22:13:03 UTC
- Severity:
- normal
- Tags:
OSSN-0098: Mistral workflow execution context exposes Keystone auth token == Summary == Eduardo Gonzalez Gutierrez reported that Mistral stores the Keystone authentication token in the workflow execution context. Any user who can create or inspect workflow executions can retrieve active tokens via YAQL or Jinja2 expressions and use them to perform actions as the workflow initiator. Deployments where untrusted users can create or execute workflows are affected. == Affected Services / Software == * mistral: <=22.0.0 == Discussion == When a workflow execution starts, Mistral copies the full Keystone authentication context into the execution's stored context. This includes the auth_token and service_catalog. The fix masks these fields and is only applied to the master branch. Backporting to stable branches would break workflows that rely on the $.openstack.auth_token context variable. == Recommended Actions == Operators running stable branches of Mistral should: * Restrict who can create and inspect workflow executions using Mistral's policy configuration. * Audit workflow definitions for references to $.openstack.auth_token. * Upgrade to the next major release of Mistral when available, which will include the fix. The fix masks auth_token and service_catalog in the workflow execution context. It is applied to the master branch only. * 2026.2/hibiscus (master): [https://review.opendev.org/c/openstack/mistral/+/991391 Gerrit 991391] == Credits == Eduardo Gonzalez Gutierrez (Independent) Arnaud Morin, OVHCloud == Contacts / References == * Authors: Goutham Pacha Ravi, Red Hat * This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0098 * Original Launchpad bug: https://launchpad.net/bugs/2146554 * Mailing List: [security-sig] tag on openstack-discuss@lists.openstack.org * OpenStack Security: https://security.openstack.org/ * CVE: none
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/a2d7bb0fa5d1cd0be292e2fd4d378e675ea5cd88 ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/630d0b404f5c31df817098c074e325ba8c4fdcce ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/55dfcd746d87dca23ce991da7dcca792b9f513e4 ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/ab1f7017fbc384413681f90ca1f5fee3d785f7c3 ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/35c88147e6b78a9a9efee7ab114da21e9940770b ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/d36bffb6f94f735e3bf0f596cacf5840d69f9e88 ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/d019f62d58c018ca6ed2dbf7786e8f139ff33e5f ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/8cf2cbfcd4ab2b1b63ac0e990b5a017ccd29c712 ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/4eb60babf5b17301f95df01c53c074076e0910ef ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/f3c5f54f153123c90871bc089a5bad3758c5ccf0 ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
Hello, Bug #1138849 in mistral reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/mistral/-/commit/9b59052ecffe13d828353382288824e51b2941a4 ------------------------------------------------------------------------ * OSSN-0098: Mistral workflow execution context exposes Keystone auth token. Applied upstream patch: "Strip sensitive info from workflow execution context" (Closes: #1138849). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138849
We believe that the bug you reported is fixed in the latest version of
mistral, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated mistral package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 17:18:35 +0200
Source: mistral
Architecture: source
Version: 20.0.0-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138843 1138849
Changes:
mistral (20.0.0-2+deb13u1) trixie-security; urgency=medium
.
* CVE-2026-41283: Mistral policy enforcement bypass allows unauthorized
public resource creation and arbitrary code execution. Applied upstream
patches:
- Restrict publicize policies to admin only
- Remove unnecessary expect_errors=True from policy tests
- Add code_sources publicize policy and enforcement
- Restrict code_sources and dynamic_actions policies to
- Add dynamic_actions publicize policy and enforcement
- Add workbooks publicize policy and enforcement
- Add cron_triggers publicize policy and enforcement
- Add environments publicize policy and enforcement
(Closes: #1138843)
* OSSN-0098: Mistral workflow execution context exposes Keystone auth token.
Applied upstream patch: "Strip sensitive info from workflow execution
context" (Closes: #1138849).
Checksums-Sha1:
f5b854625f9fd69baa1693184ebdd6df39d8f555 3536 mistral_20.0.0-2+deb13u1.dsc
d521ec7e7ace2409de2c97c3cccf67f2f91b67e5 1013184 mistral_20.0.0.orig.tar.xz
1578f0956734337f30a22803d8c6a83d12c10ef9 21228 mistral_20.0.0-2+deb13u1.debian.tar.xz
a47693c653c0ce23b84d9441dc6624cdabec930e 17628 mistral_20.0.0-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
2b37fb33e6f944361d7d0de72c4df31b69ec930d4cfceff6d5e8756549ca3b68 3536 mistral_20.0.0-2+deb13u1.dsc
2c8368e56b9038a8f1b1c75440168a95bf389b9080d923c07fac8f4e4121a1a3 1013184 mistral_20.0.0.orig.tar.xz
442b30306097bc93d48c696d94142f3b580d03a11e6a3d0fed3c47c8587bc228 21228 mistral_20.0.0-2+deb13u1.debian.tar.xz
4c5bef8000bdc6bb942a86a1d614b4be08eb1a75f36c547b47be0d6cf25ae52d 17628 mistral_20.0.0-2+deb13u1_amd64.buildinfo
Files:
64ce16f1e983d06c616f152136efd9bf 3536 net optional mistral_20.0.0-2+deb13u1.dsc
83adc2526c2c78db6d680ec05e032186 1013184 net optional mistral_20.0.0.orig.tar.xz
64d9fb6430c1990ee45b8fd098da6c9a 21228 net optional mistral_20.0.0-2+deb13u1.debian.tar.xz
33ecac5579e813857058b178f4b87ac1 17628 net optional mistral_20.0.0-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmolmwAACgkQ1BatFaxr
Q/56pQ/+OzwfZPl56nUwaY+rlbxif00xjHuX4zinCqKikalNx3PhGQsz//w8Tbzs
SGDLlwcz7Fj9VSDouEooYu5iz7WZ7gh8lscVxV7W4llV7Fo0GW3diLYi/mFDz9OC
bz+kg3fqYdk/NKyxEu+Hen+sykaLu+CuDCXpsQYP4JnZQINVGP+dgqYfHD7tzauY
8lWpnnOt4m4JxilSx7dE7jqMF2BpNC+Y/QRODtLSw2+vwqmqpHh1JWN4Cf14D8ZQ
Kpn1Ne4sE0u8TCeKEvvffdQWsjap6dISaPWDsXpL7kFo4JgfBATOafjoSMpbWZjP
PuW7U5fwVV59y5PC+AMF8zFdmTye+P5WwKD8O5W3CyJRTMSplrx84IUrFRbzXjqA
kOGP8loitun+3yELbchi04Xv5d1SLAUhGKMClk2Be95MLqacz9DkmV/CXy7KpiuA
6i691QlzbmLMQ9t50/JJH8UwU/Xf0J56Ra051r6RBa15WJsgvL+GnySr0X/vgCYK
TReNsmHiYT0Ls7LG4gWrn1GHVQe6Taavka1lD5/iqi7b9nVA3ybkenrjk9g7tffG
yHby+HKonrV7Q540vE0cz+8HiDODBITONz4w4uIf361rfDmY7rNgncfYksCkHgci
OP6jsDR2UHgJWvD942xVw4Yzj6/czrSSSBxsCAsOFY0lp6IcFic=
=mn94
-----END PGP SIGNATURE-----