{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2026-34881","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","state":"PUBLISHED","assignerShortName":"mitre","dateReserved":"2026-03-31T05:29:07.975Z","datePublished":"2026-03-31T05:29:08.449Z","dateUpdated":"2026-06-30T12:09:07.020Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Glance","vendor":"OpenStack","versions":[{"lessThan":"29.1.1","status":"affected","version":"0","versionType":"semver"},{"lessThan":"30.1.1","status":"affected","version":"30.0.0","versionType":"semver"},{"status":"affected","version":"31.0.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"CWE-918 Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2026-04-02T18:20:21.022Z"},"references":[{"url":"https://bugs.launchpad.net/glance/+bug/2138602"},{"url":"https://security.openstack.org/ossa/OSSA-2026-004.html"}],"x_generator":{"engine":"CVE-Request-form 0.0.1"},"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*","versionEndExcluding":"29.1.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*","versionStartIncluding":"30.0.0","versionEndExcluding":"30.1.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*","versionStartIncluding":"31.0.0","versionEndIncluding":"31.0.0"}]}]}]},"adp":[{"references":[{"url":"https://bugs.launchpad.net/glance/+bug/2138602","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-31T13:47:30.640583Z","id":"CVE-2026-34881","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-31T13:47:36.130Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openstack:16.2"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 16.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:17.1"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 17.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:18.0"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 18.0","vendor":"Red Hat"}],"datePublic":"2026-03-25T20:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in OpenStack Glance. An authenticated user can exploit a Server-Side Request Forgery (SSRF) vulnerability within the web-download import feature. This vulnerability stems from inadequate validation of Uniform Resource Identifiers (URIs), which can be circumvented using HTTP redirects or alternative IP encodings. Successful exploitation allows an attacker to gain unauthorized access to internal network resources and potentially exfiltrate sensitive data."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-34881"},{"name":"RHBZ#2440368","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440368"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34881.json"}],"timeline":[{"lang":"en","time":"2026-02-17T13:36:28.695Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-25T20:00:00.000Z","value":"Made public."}],"title":"openstack-glance: OpenStack Glance: Server-Side Request Forgery leading to unauthorized internal network access","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:09:07.020Z"}}]},"dataVersion":"5.2"}