CVE-2026-28370

EUVD-2026-8999

27.02.2026, 05:18

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

Eval Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.1 CRITICAL	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
openstack	vitrage	𝑥 < 12.01
openstack	vitrage	13.0.0 ≤ 𝑥 < 13.0.1
openstack	vitrage	14.0.0 ≤ 𝑥 < 14.0.1
openstack	vitrage	15.0.0 ≤ 𝑥 < 15.0.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

vitrage

bookworm	vulnerable
bullseye	vulnerable
forky	15.0.1-2 fixed
sid	15.0.1-2 fixed
trixie	vulnerable

Known Exploits!

https://storyboard.openstack.org/#%21/story/2011539

Common Weakness Enumeration

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

References

https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70

https://storyboard.openstack.org/#%21/story/2011539

http://www.openwall.com/lists/oss-security/2026/03/03/6