CVE-2026-28370

CRITICAL LAB

OpenStack Vitrage <12.0.1,13.0.0,14.0.0,15.0.0 - Code Injection

Title source: llm

Description

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-28370

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70

View Writeup ZIP pw:eip

[Various Sources] https://storyboard.openstack.org/#%21/story/2011539

[Mailing List] http://www.openwall.com/lists/oss-security/2026/03/03/6

Scores

CVSS v3 9.1

EPSS 0.0007

EPSS Percentile 22.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Lab Environment

Lab screenshot

patched vulnerable

docker pull ghcr.io/exploitintel/cve-2026-28370-vulnerable:latest

All Labs GitHub

Classification

CWE

CWE-95

Status published

Affected Products (2)

openstack/vitrage < 12.01

pypi/vitrage < 15.0.1PyPI

Timeline

Published Feb 27, 2026

Tracked Since Feb 27, 2026