CVE-2026-41283 Overview
CVE-2026-41283 is an authorization flaw in OpenStack Mistral through version 22.0.0. The workflow service exposes API endpoints that permit arbitrary remote code execution when the API is reachable. Attackers with API access can run code on the Mistral host and exfiltrate service credentials stored in the OpenStack environment. The weakness is tracked under CWE-863: Incorrect Authorization.
Critical Impact
Remote code execution against exposed Mistral APIs leads to full compromise of the workflow service and theft of OpenStack service credentials.
Affected Products
- OpenStack Mistral versions up to and including 22.0.0
- Deployments where the Mistral API is network-exposed
- OpenStack environments relying on Mistral for workflow orchestration
Discovery Timeline
- 2026-06-04 - CVE-2026-41283 published to NVD
- 2026-06-04 - Last updated in NVD database
- 2026-06-03 - Public disclosure via Openwall OSS Security mailing list
Technical Details for CVE-2026-41283
Vulnerability Analysis
OpenStack Mistral is the workflow-as-a-service component used to define and execute tasks across OpenStack projects. The vulnerability resides in Mistral API endpoints that accept user-supplied workflow definitions and evaluate them server-side. Authenticated callers can submit input that the service processes as executable code rather than data.
Because Mistral runs with privileged service credentials, code execution within the API process yields access to the credential store used to call other OpenStack components such as Keystone, Nova, and Neutron. This converts a single authorization weakness into a path for lateral movement across the control plane.
The issue affects all releases up to 22.0.0. Operators exposing the Mistral API beyond trusted management networks are at the highest risk.
Root Cause
The root cause is incorrect authorization [CWE-863] on endpoints that perform code evaluation. The API does not adequately restrict which roles may submit constructs that the workflow engine executes. A caller with low privileges can reach functionality that should require strict administrative scope.
Attack Vector
The attack is network-based and requires only low-privileged API credentials. An attacker submits a crafted request to a vulnerable Mistral endpoint. The workflow engine evaluates the supplied content, runs attacker-controlled code in the Mistral service context, and returns or stages output that can include service tokens and configuration data.
No user interaction is required, attack complexity is low, and the impact crosses a scope boundary because compromise of Mistral grants access to other OpenStack services. Technical details are available in the Openwall OSS Security advisory and the OpenStack Mistral release tags.
Detection Methods for CVE-2026-41283
Indicators of Compromise
- Unexpected workflow or action definitions created through the Mistral API by non-administrative accounts.
- Mistral worker processes spawning shell interpreters, python, or outbound network connections to unfamiliar hosts.
- Reads of credential files such as /etc/mistral/mistral.conf or Keystone token caches from the Mistral service account.
Detection Strategies
- Audit Mistral API logs for POST requests to workflow execution endpoints that originate from low-privileged tenants.
- Correlate Mistral process activity with credential file access and outbound connections that deviate from baseline workflow behavior.
- Inspect Keystone logs for unexpected token issuance or service account use that aligns in time with Mistral API calls.
Monitoring Recommendations
- Forward Mistral API, executor, and engine logs to a centralized analytics platform with retention sufficient for forensic review.
- Alert on new or modified workflows containing inline code constructs, especially when submitted by accounts that previously did not author workflows.
- Monitor egress from Mistral hosts and flag connections to destinations outside the OpenStack management plane.
How to Mitigate CVE-2026-41283
Immediate Actions Required
- Restrict network reachability of the Mistral API to trusted management networks and administrative jump hosts only.
- Rotate all OpenStack service credentials, Keystone tokens, and any secrets accessible to the Mistral service account.
- Review recent Mistral workflow and action definitions and remove any not authored by approved operators.
Patch Information
No fixed version is identified in the published advisory at the time of writing. Operators should monitor the OpenStack Mistral release tags and the Openwall OSS Security thread for an upstream fix and apply it once available.
Workarounds
- Place the Mistral API behind authenticated reverse proxies and enforce mutual TLS for management plane access.
- Apply Keystone policy rules that deny workflow creation and execution APIs to non-administrative roles until a patch is applied.
- Run Mistral services with the least privilege necessary and isolate the host so that credential theft cannot pivot into other control plane nodes.
# Example: restrict Mistral API exposure with host firewall rules
# Allow only the management subnet to reach the Mistral API port
iptables -A INPUT -p tcp --dport 8989 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8989 -j DROP
# Tighten Keystone policy for Mistral workflow execution
# /etc/mistral/policy.yaml
# "executions:create": "rule:admin_only"
# "workflows:create": "rule:admin_only"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
