CVE-2026-50589

MEDIUM

Openstack Ironic < 35.0.1 - Allocation of Resources Without Limits or Throttling

Title source: rule

Description

In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.

References (3)

Core 3

Core References

https://bugs.launchpad.net/ironic/+bug/2154288

https://wiki.openstack.org/wiki/OSSN/OSSN-0099

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/06/2

Scores

CVSS v3 5.3

EPSS 0.0029

EPSS Percentile 20.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

OpenStack/Ironic 32.0.0 - 35.0.1

OpenStack/Ironic 32.0.0 - 37.0.0

Published Jun 05, 2026

Tracked Since Jun 05, 2026