OpenStack Vitrage Query Parser Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in the query parser of OpenStack Vitrage versions prior to 12.0.1, 13.0.0, 14.0.0, and 15.0.0. This vulnerability allows a user with access to the Vitrage API to execute code on the host where the Vitrage service is running, potentially leading to unauthorized access and further compromise of the Vitrage service. The issue arises in the '_create_query_function' within 'vitrage/graph/query.py'.

Impact

Exploitation of this vulnerability allows for remote code execution on the Vitrage service host, as the user under which the Vitrage service runs.

Added: Feb 27, 2026, 5:22 AM

Updated: Feb 27, 2026, 5:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.9

remediation

0.0

relevance

3.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.9

remediation

0.0

relevance

3.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenStack Vitrage Query Parser Remote Code Execution Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating