CVE-2026-28370

CRITICAL LAB

OpenStack Vitrage <12.0.1,13.0.0,14.0.0,15.0.0 - Code Injection

Title source: llm

Description

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-28370

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70

View Writeup ZIP pw:eip

[Various Sources] https://storyboard.openstack.org/#%21/story/2011539

[Mailing List] http://www.openwall.com/lists/oss-security/2026/03/03/6

Related Analysis

72-Hour Stress Test

Scores

CVSS v3 9.1

EPSS 0.0004

EPSS Percentile 11.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Lab Environment

EIP LAB

Lab screenshot

patched docker pull ghcr.io/exploitintel/cve-2026-28370-patched:latest

vulnerable docker pull ghcr.io/exploitintel/cve-2026-28370-vulnerable:latest

View in Library GitHub

COMMUNITY

docker pull ghcr.io/exploitintel/cve-2026-28370-vulnerable:latest

docker pull ghcr.io/exploitintel/cve-2026-28370-patched:latest

https://github.com/openstack/vitrage

https://github.com/exploitintel/eip-pocs-and-cves

View in Library

Details

CWE

CWE-95

Status published

Products (2)

openstack/vitrage < 12.01

pypi/vitrage 15.0.0.0rc1 - 15.0.1PyPI

Published Feb 27, 2026

Tracked Since Feb 27, 2026