Vulnerabilities ›

CVE-2026-28370

Critical ⚡ Exploit Available

Critical Code Injection Vulnerability in OpenStack Vitrage Query Parser (CVE-2026-28370)

CWE-95 — Weakness Type

                    Published: Feb 27, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

9.1

🔗 NVD Official

📄 Description (English)

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

🤖 AI Executive Summary

OpenStack Vitrage versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0 contain a code execution vulnerability in the query parser that allows authenticated API users to execute arbitrary code on the Vitrage service host. This vulnerability affects all deployments exposing the Vitrage API and could lead to complete system compromise.

📄 Description (Arabic)

تحتوي دالة _create_query_function في vitrage/graph/query.py على ثغرة تنفيذ أكواد تسمح للمستخدمين المصرح لهم بالوصول إلى API بتنفيذ أكواد عشوائية على خادم خدمة Vitrage. يمكن لهذه الثغرة أن تؤدي إلى وصول غير مصرح به للمضيف والمزيد من التسويس المحتمل لخدمة Vitrage.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: Apr 12, 2026 21:52

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

energy government telecom banking

🎯 MITRE ATT&CK Techniques

T1190 T1059 T1078

⚖️ Saudi Risk Score (AI)

9.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade OpenStack Vitrage to version 12.0.1, 13.0.0, 14.0.0, or 15.0.0 or later. Restrict API access to trusted networks and implement network segmentation. Review access logs for suspicious query patterns. Apply principle of least privilege to Vitrage service account permissions.

🔧 خطوات المعالجة (العربية)

قم بترقية OpenStack Vitrage فوراً إلى الإصدار 12.0.1 أو 13.0.0 أو 14.0.0 أو 15.0.0 أو أحدث. قيد الوصول إلى API للشبكات الموثوقة وطبق تقسيم الشبكة. راجع سجلات الوصول للأنماط المريبة. طبق مبدأ أقل صلاحية على حساب خدمة Vitrage.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.7.1.1 A.7.1.2 A.9.1.1 A.9.2.1

🔵 SAMA CSF

ID.AM-2 PR.AC-1 PR.AC-4 DE.CM-1

🟡 ISO 27001:2022

A.6.1.1 A.9.1.1 A.9.2.1 A.9.4.1

🔗 References & Sources 2

🔗

https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitr...

cve@mitre.org

Issue Tracking

🔗

https://storyboard.openstack.org/#%21/story/2011539

cve@mitre.org

Exploit Issue Tracking Vendor Advisory

📦 Affected Products / CPE 4 entries

openstack:vitrage

📊 CVSS Score

9.1

/ 10.0 — Critical

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity Critical

CVSS Score9.1

CWECWE-95

EPSS0.08%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-02-27

Source Feed nvd

🇸🇦 Saudi Risk Score

9.0

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-95

🏢 Vendor Advisories

🔗 https://storyboard.openstack.org/#%21/story/2011539

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-28370

Introduce Yourself

Sign In Required