Incorrect Resource Transfer Between Spheres

CVE-2026-42997

High

7.7/10

Summary

An issue was discovered in idrac in OpenStack Ironic prior to 26.1.6, 27.x through 29.x prior to 29.0.5, 30.x through 32.x prior to 32.0.1 and 33.x through 35.x prior to 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1 and 35.0.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-669 - Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

References

Advisory

Advisory Timeline

Published May 05, 2026

Incorrect Resource Transfer Between Spheres

CVE-2026-42997

Summary

CWE-669 - Incorrect Resource Transfer Between Spheres

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS