Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN592
_____________________________________________________________________

DATE                : 04/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mistral.

=====================================================================
https://security.openstack.org/ossa/OSSA-2026-020.html
_____________________________________________________________________


OSSA-2026-020: Mistral policy enforcement bypass allows unauthorized
public resource creation and arbitrary code execution

Date:

    June 03, 2026
CVE:

    CVE-2026-41283

Affects

    Mistral: >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0

Description

Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) reported that
several Mistral API endpoints do not enforce access policies, allowing
any authenticated user to create public resources and upload
arbitrary code that executes on Mistral executor workers. An attacker
could extract sensitive data including service credentials from the
worker. Deployments exposing the Mistral API are affected.
Patches

    https://review.opendev.org/991416 (2025.1/epoxy)

    https://review.opendev.org/991417 (2025.1/epoxy)

    https://review.opendev.org/991418 (2025.1/epoxy)

    https://review.opendev.org/991419 (2025.1/epoxy)

    https://review.opendev.org/991420 (2025.1/epoxy)

    https://review.opendev.org/991421 (2025.1/epoxy)

    https://review.opendev.org/991422 (2025.1/epoxy)

    https://review.opendev.org/991423 (2025.1/epoxy)

    https://review.opendev.org/991408 (2025.2/flamingo)

    https://review.opendev.org/991409 (2025.2/flamingo)

    https://review.opendev.org/991410 (2025.2/flamingo)

    https://review.opendev.org/991411 (2025.2/flamingo)

    https://review.opendev.org/991412 (2025.2/flamingo)

    https://review.opendev.org/991413 (2025.2/flamingo)

    https://review.opendev.org/991414 (2025.2/flamingo)

    https://review.opendev.org/991415 (2025.2/flamingo)

    https://review.opendev.org/991400 (2026.1/gazpacho)

    https://review.opendev.org/991401 (2026.1/gazpacho)

    https://review.opendev.org/991402 (2026.1/gazpacho)

    https://review.opendev.org/991403 (2026.1/gazpacho)

    https://review.opendev.org/991404 (2026.1/gazpacho)

    https://review.opendev.org/991405 (2026.1/gazpacho)

    https://review.opendev.org/991406 (2026.1/gazpacho)

    https://review.opendev.org/991407 (2026.1/gazpacho)

    https://review.opendev.org/991392 (2026.2/hibiscus)

    https://review.opendev.org/991393 (2026.2/hibiscus)

    https://review.opendev.org/991394 (2026.2/hibiscus)

    https://review.opendev.org/991395 (2026.2/hibiscus)

    https://review.opendev.org/991396 (2026.2/hibiscus)

    https://review.opendev.org/991397 (2026.2/hibiscus)

    https://review.opendev.org/991398 (2026.2/hibiscus)

    https://review.opendev.org/991399 (2026.2/hibiscus)


Credits

    Eduardo Gonzalez Gutierrez from Independent (CVE-2026-41283)

    Arnaud Morin from OVHcloud (CVE-2026-41283)


References

    https://launchpad.net/bugs/2147178

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41283



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================