CVE-2026-50589 Overview
CVE-2026-50589 is a denial of service vulnerability in OpenStack Ironic, the bare-metal provisioning service. Versions 32 through 36.x are affected, with the fix landing in version 37.0.0. An unauthenticated attacker can submit a crafted JSON payload to specific endpoints on the API or the JSON-RPC service and trigger a service crash. The flaw is tracked under [CWE-770] (Allocation of Resources Without Limits or Throttling) and reachable over the network without authentication or user interaction.
Critical Impact
A remote, unauthenticated attacker can crash the Ironic API or JSON-RPC service by sending a single malformed JSON request, disrupting bare-metal provisioning operations in affected OpenStack deployments.
Affected Products
- OpenStack Ironic 32.x
- OpenStack Ironic 33.x, 34.x, 35.x, 36.x (all releases prior to 37.0.0)
- OpenStack Ironic JSON-RPC service running affected versions
Discovery Timeline
- 2026-06-05 - CVE-2026-50589 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-50589
Vulnerability Analysis
The vulnerability resides in how OpenStack Ironic parses and processes incoming JSON payloads on its public-facing API and internal JSON-RPC service. A crafted JSON string passed to certain endpoints causes the service process to crash, terminating in-flight requests and halting bare-metal lifecycle operations such as enrollment, deployment, and power management.
The issue is categorized as a resource handling failure rather than a code execution flaw. Confidentiality and integrity remain intact, but availability is degraded because the affected worker process exits when the malformed input is processed. In deployments where multiple operators rely on the Ironic API, a sustained stream of crafted requests can repeatedly crash service workers and prevent legitimate provisioning.
Root Cause
The root cause is the absence of proper resource and input constraints when handling deserialized JSON content, consistent with [CWE-770]. The service accepts input that exceeds safe processing limits or triggers an unhandled exception path, leading to an abrupt termination of the request handler. Because authentication is not required for the vulnerable code path, the attack surface includes anyone with network reachability to the Ironic API or JSON-RPC endpoint.
Attack Vector
Exploitation requires only network access to a vulnerable Ironic endpoint. The attacker sends a single HTTP request containing a specially crafted JSON body to a vulnerable API route, or transmits the same payload to the JSON-RPC service port. No credentials, tokens, or prior session state are required. See OpenStack Security Notice OSSN-0099 and Launchpad Bug Report 2154288 for vendor technical details.
No verified public proof-of-concept code is available. Refer to the vendor advisories for technical specifics rather than synthetic examples.
Detection Methods for CVE-2026-50589
Indicators of Compromise
- Unexpected restarts or crash logs from ironic-api or ironic-json-rpc worker processes correlated with inbound POST or RPC traffic.
- Stack traces or unhandled exceptions in Ironic service logs immediately following requests with abnormally large or malformed JSON bodies.
- Repeated 5xx responses from the Ironic API endpoint coinciding with single-source request bursts.
Detection Strategies
- Parse Ironic service logs for crash signatures and tie them to the source IP and request path that preceded the failure.
- Inspect HTTP request bodies destined for /v1/ Ironic API routes for malformed JSON, excessive nesting, or oversized fields.
- Monitor the JSON-RPC listener (default TCP 8089) for unauthenticated connections from outside the management network.
Monitoring Recommendations
- Alert on process exits or systemd restart events for Ironic services in the control plane.
- Track request rate and 5xx error ratio per source IP against the Ironic API and trigger thresholds for anomalous spikes.
- Forward Ironic and reverse-proxy logs to a centralized analytics platform and retain them for post-incident review.
How to Mitigate CVE-2026-50589
Immediate Actions Required
- Upgrade OpenStack Ironic to version 37.0.0 or later, which contains the fix.
- Restrict network access to the Ironic API and JSON-RPC service so only management-plane hosts and authorized clients can reach them.
- Review recent Ironic logs for crash patterns that may indicate prior probing or exploitation attempts.
Patch Information
The vulnerability is resolved in OpenStack Ironic 37.0.0. Operators running versions 32 through 36.x should plan an upgrade through their distribution's package channel or deployment tooling. Consult OpenStack Security Notice OSSN-0099 and the OpenWall OSS Security advisory for full remediation guidance and backport availability.
Workarounds
- Place the Ironic API behind a reverse proxy or web application firewall that enforces JSON body size limits and rejects malformed payloads.
- Bind the JSON-RPC service to an internal management interface only and block external access at the host firewall.
- Require authentication at the proxy layer for any client that does not originate from a trusted control-plane subnet.
# Example: restrict Ironic JSON-RPC to the management network using iptables
iptables -A INPUT -p tcp --dport 8089 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8089 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
