OpenStack Ironic Jinja2 Template Injection Vulnerability Allowing Remote Code Execution

A vulnerability in OpenStack Ironic versions through 35.x allows for Jinja2 template injection, which can be exploited to achieve remote code execution. The issue arises because instance_info['ks_template'] is rendered using an unsandboxed Jinja2 environment, enabling authenticated users to inject malicious templates that are fetched and executed on the server side. This vulnerability is particularly concerning in kickstart-based deployments using the Anaconda deployment interface.

Impact

Exploitation of this vulnerability leads to a full compromise of the Ironic conductor process, allowing access to sensitive internal data, including BMC credentials and database connections. It also enables manipulation of provisioning for all nodes managed by the compromised conductor.

Reproduction

To reproduce this vulnerability, an authenticated user must set instance_info['ks_template'] to an HTTP URL pointing to a malicious Jinja2 template. This can be done through Glance image properties, which may be admin-controlled, but the template rendering issue can be exploited by any project member. Once the template is set, it will be fetched and rendered on the server without any sandboxing, allowing for the execution of arbitrary code on the conductor process.

Remediation

The vulnerability has been fixed in the OpenStack Ironic master branch and backported to the stable/2026.1 branch. Users should upgrade to version 2026.1 or later.