#1139452 CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage query parser #1139452
- Package:
- src:vitrage
- Source:
- src:vitrage
- Submitter:
- Thomas Goirand
- Date:
- 2026-06-16 21:05:01 UTC
- Severity:
- normal
- Tags:
https://security.openstack.org/ossa/OSSA-2026-003.html Date: March 03, 2026 CVE: CVE-2026-28370 Affects: Vitrage: <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0 Description: Khalil Lemtaffah (Nokia) reported a vulnerability in the Vitrage query parser. A user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. Patches: https://review.opendev.org/962671 (2023.1/antelope) https://review.opendev.org/962713 (2024.1/caracal) https://review.opendev.org/962712 (2024.2/dalmatian) https://review.opendev.org/962646 (2025.1/epoxy) https://review.opendev.org/962658 (2025.2/flamingo) https://review.opendev.org/962617 (2026.1/gazpacho) Credits: Khalil Lemtaffah from Nokia (CVE-2026-28370) References: https://storyboard.openstack.org/#!/story/2011539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370 Notes: The stable/2023.1 branch is unmaintained and will receive no new point releases, but a patch for it is provided as a courtesy.
I checked, and the patch for this bug is already in Sid/Testing, so this bug may be closed (also, because I already open bugs for Trixie/Bookworm to fix the issue there). Cheers, Thomas Goirand (zigo)
We believe that the bug you reported is fixed in the latest version of
vitrage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1139452@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated vitrage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 08 Jun 2026 22:00:22 +0200
Source: vitrage
Architecture: source
Version: 9.0.0-3.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1139452
Changes:
vitrage (9.0.0-3.1+deb12u1) bookworm; urgency=medium
.
* CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage query
parser. Applied upstream patch: Replace eval with function matching.
(Closes: #1139452)
Checksums-Sha1:
4ee9724166386d7816c41d3ac0bacee7c5ac572d 3765 vitrage_9.0.0-3.1+deb12u1.dsc
d0f0639ca62db72f3d740c218516fd833a7c503c 1595144 vitrage_9.0.0.orig.tar.xz
9b0d49ea519ceaf35a43eb60cbbe7fbfbd081518 9156 vitrage_9.0.0-3.1+deb12u1.debian.tar.xz
9e7e8596eb67b2cc59e6632998fe549f732b764c 20306 vitrage_9.0.0-3.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
fff6fd5a60812e350360f36eaada8767719d7d1e5216fc0d843aa34d8e0415b4 3765 vitrage_9.0.0-3.1+deb12u1.dsc
336838c0f88941fb6fc937395a5e581453482945c737db3a1b2b975cd5b9d894 1595144 vitrage_9.0.0.orig.tar.xz
ba312ee5ba425782e40884dd9d268d2473b94c525188922f7fba8ebeb6b8d61b 9156 vitrage_9.0.0-3.1+deb12u1.debian.tar.xz
5a8172290982186d185d0c24a557d39e9be1d52d82f3a12ebece1746b23817bd 20306 vitrage_9.0.0-3.1+deb12u1_amd64.buildinfo
Files:
b6f72c2e942e68fa95abee275728ff8b 3765 net optional vitrage_9.0.0-3.1+deb12u1.dsc
178c7592e68403bb8beb317d1e3acbcb 1595144 net optional vitrage_9.0.0.orig.tar.xz
1a186b98e4bc35fbda3dbcb9c96b1ff5 9156 net optional vitrage_9.0.0-3.1+deb12u1.debian.tar.xz
53b7409994262c2ea688c9b6b40d46d5 20306 net optional vitrage_9.0.0-3.1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmovrsAACgkQ1BatFaxr
Q/5O2A//dVTur9AoIfsKYAfbt+Rvg2QkX5UePT+kUB9bg7MiCZRw5BWlOP0DGx8Q
VbTHCLud4jBMSCil9AJ49kV7e5fN3feKQ4buBn6+7DYABETf8F7oZ9rUGBSnX1Z0
1V4KPgh66twelO2Ku5MGCTIQS0f+sHxCZ2sF1tIHzUgMzCtBkHuwpH5Ps5wPHQUE
8Ibi0pnnf9D4XtL0THBQNhhoXEmJ/qxgEK3XlgNwX41CLz/gJeg4eCNJddQzogYE
otBlr99c8vKakQyq1+beQEvCFPioWzTafHbxOVwbBLfB/Hqk3e13of32T7jffSQR
4WXSqa2sJUlUuosx8+NNpdra3cq6kTI3IEUBcHrsM6z4yWSaUOuf+cfdu7kruQS5
TJ6oWsW6eNbJ8RNKdXu0pAJW+TwzJyYAlqxojhwmsUbDd6gKK0ps2FEv9wHNgtEK
+3wOm4Uj+uFPUJwAOtX8b0BntGl8+vT6owgA+kIArRtKRerEtxH0qQmGo2dO6vTw
TCUxOEt1oHpnq0FMDeck3rMm1hG960E7chvET3u+N/14YlS4iUe6/VWgS4eYs8l8
raeWbVWfk5MV4wUO0O+9ot2pSoHV/YTArFgeJZxwd2+VIMAr/74xyuR1bEPvFZvj
ujpzl/bRq2PtAssvsk12sMUuoMBJnJscoOtz08uL13lzJx+xynk=
=AwJo
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
vitrage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1139452@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated vitrage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 09 Jun 2026 09:48:17 +0200
Source: vitrage
Architecture: source
Version: 14.0.0-4+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1139452
Changes:
vitrage (14.0.0-4+deb13u1) trixie; urgency=medium
.
* CVE-2026-28370 / OSSA-2026-003: Remote code execution through Vitrage query
parser. Applied upstream patch "Replace eval with function matching".
(Closes: #1139452)
Checksums-Sha1:
92b3831a12bb8ef65bc40e000f7203b814081b90 3770 vitrage_14.0.0-4+deb13u1.dsc
6e3dcde6ab3854a772548b8839cc09573d0f3dd1 1593284 vitrage_14.0.0.orig.tar.xz
624cab7e7cb9cf592ca82c439326f891da55725f 9816 vitrage_14.0.0-4+deb13u1.debian.tar.xz
1fdd6b06c3d684934b37c11ab0163ffc31b65293 19592 vitrage_14.0.0-4+deb13u1_amd64.buildinfo
Checksums-Sha256:
3659dd3c97a945586b685cee86761004aa94e078d0b016794605558b492b379d 3770 vitrage_14.0.0-4+deb13u1.dsc
8f999878f3af470823f40b481c94c7674d34f4c4c8c7df18f6c2d445da8d5344 1593284 vitrage_14.0.0.orig.tar.xz
2bb2263f6dbe33b21156c1e73f82699cbc5d25749e807aacf8fa52817e52c195 9816 vitrage_14.0.0-4+deb13u1.debian.tar.xz
88f6c4ff4782af79b4cb6062dea8e6a71831b548071b6c6d6f9b99d733b4ee31 19592 vitrage_14.0.0-4+deb13u1_amd64.buildinfo
Files:
6e29742ea4a3e8bf9189fe8849c4151c 3770 net optional vitrage_14.0.0-4+deb13u1.dsc
932ae0188ac1895e8669b16ce027f5d2 1593284 net optional vitrage_14.0.0.orig.tar.xz
30f35282d707e8c5c30a31c4eb280a3a 9816 net optional vitrage_14.0.0-4+deb13u1.debian.tar.xz
95c84579a9dcda1328a6923555913c8a 19592 net optional vitrage_14.0.0-4+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmovpdIACgkQ1BatFaxr
Q/6+AxAAnj7oEyK/j0KNJw0a/WEVtcj54CRIso6/8E++EQakzCUd+W6JkjG+B0Wo
dFVye9YppE6xRoRdUy9Z1A21o1JOOG5LwMfHG3Lb+Gp+/r/Q8ZaYsememK+GIbJp
wHhGhInMHS5+CIDZVcYR0MwhpcPmVogavb36H7TgwIzmmSQSDGjfj1ZM4TfJpOqN
yJ1+iprUpuZjVBeDL/TB2gXLFni3CixErdBmYiispqCn58NUEUZ/I8ODQWs4WR51
ftP8zZqww8MLwnYUwc9b7ealfhRck6tVL+h8EJMC8vj2S26rW1d+KU1E/oz4fxjW
FxW9lSdvSJzzWX2U8apnCA3oUEKsz/EyD0lXI14B4dxtbQYxlpgjyzph2LT9WbaX
xiYP7pOWJZdndzzTeWy02MwNMBpb2bw4jHSCp8VzWdQHFbRYMi9dxGX+vdVdbJyh
/3wZO1h9XhgW8Uro4qEehZNCqeZWJhoVtw2U4lzpuASAWmzTgRo4j1bLvGBJ5xSV
O6vArQPUqwtpi45cu12mEcEzMH0ryaHmcGDN/KYdBwtYA8CeuVUnIvGB2UG0PZme
f7jlAIfEImyOk/+jT6GerdLKnYoiM06ytwehFpmge+x8YETR5Gvdv3w50hWSffTK
HSdhU/WpSnc3ePlGkJsQTGFvECLqZjXiBOWUII21zuwem1PIliE=
=q/Vs
-----END PGP SIGNATURE-----