CVE-2026-41283 · OpenStack Mistral through 22.0.0

01 · The Real Story

This is a master key hidden behind a side door, not a brick through the front window

CVE-2026-41283 is an authorization failure in OpenStack Mistral where several API endpoints fail to enforce policy correctly. Per the OpenStack advisory, affected versions are >=20.0.0 <20.1.1, ==21.0.0, and ==22.0.0; any authenticated user who can reach the Mistral API can create public resources and upload arbitrary code that later runs on Mistral executor workers, with potential theft of service credentials from those workers.

The vendor's 9.9 CRITICAL score captures the *impact* once exploited, but it overstates the *reachability* for most enterprises. This is not unauthenticated edge RCE: the attacker needs a valid authenticated user context plus API reachability to a relatively niche OpenStack component that is often internal-only, but if those two conditions are met the blast radius can jump from one tenant foothold to cloud service credentials fast.

"Serious cloud pivot risk, but it is not internet-wide pre-auth RCE; the auth and deployment friction knock it below CRITICAL"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get any valid OpenStack user foothold

The attacker first obtains a low-privilege Keystone-backed identity or any other valid authentication context accepted by the Mistral API. Weaponization here is basic openstack token issue / curl usage rather than a specialized exploit kit, because the advisory says the vulnerable condition is policy non-enforcement on API endpoints rather than memory corruption.

Conditions required:

A deployed Mistral service in an affected version range
A valid authenticated user account or token
Network path to the Mistral API

Where this breaks in practice:

Many enterprises do not expose Mistral externally
Mistral is not universally deployed even inside OpenStack estates
Identity controls, tenant onboarding friction, and MFA around upstream auth reduce mass exploitation

Detection/coverage: Auth logs in Keystone and reverse proxy logs can show token issuance and new API use by low-privilege users, but generic vuln scanners may miss this because version-only checks do not prove the API is reachable by untrusted users.

STEP 02

Abuse unguarded Mistral endpoints

Using curl or python-mistralclient, the attacker calls API endpoints that should be policy-gated but are not. The advisory states this lets an authenticated user create *public* resources and upload arbitrary code, effectively bypassing intended authorization boundaries.

Conditions required:

User can invoke the vulnerable endpoints
Policy checks are still in the affected code path

Where this breaks in practice:

Some deployments place Mistral behind internal load balancers or service networks only
Custom API gateways or RBAC wrappers may narrow exposure even when the product is vulnerable

Detection/coverage: Look for unusual creation of public workflows/actions/environments by non-admin users, especially from tenant identities that have never touched Mistral before.

STEP 03

Trigger code on executor workers

The malicious workflow/action is then executed by Mistral executor workers. At that point the issue stops being 'just auth bypass' and becomes code execution in the worker context, typically via uploaded workflow/action content handled by the platform's normal execution path.

Conditions required:

Executor workers are enabled and processing jobs
The uploaded resource is accepted and runnable

Where this breaks in practice:

Worker-side isolation, containerization, or reduced service account scope can limit what the code can touch
If Mistral is deployed but barely used, attacker testing may stand out operationally

Detection/coverage: EDR on controller/executor nodes, process creation telemetry, and Python child process monitoring are the best bets; network scanners will not see this step.

STEP 04

Harvest credentials and pivot

OpenStack's advisory explicitly warns that sensitive data including service credentials may be extracted from the worker. Those credentials can enable lateral movement into adjacent OpenStack services, turning one authenticated user in one service into broader control-plane access.

Conditions required:

Useful credentials or secrets are present on the worker
Those credentials have meaningful downstream privileges

Where this breaks in practice:

Least-privilege service accounts and secret rotation reduce post-exploit value
Segmentation between control-plane services can slow the pivot

Detection/coverage: Watch for credential access from Mistral hosts, unexpected API calls to Keystone/Nova/Neutron/Cinder using service identities, and anomalous east-west traffic from executor nodes.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found as of 2026-06-04. It is not in CISA KEV, and I found no GreyNoise-tagged campaign or vendor statement claiming active exploitation.
Proof-of-concept availability	No public PoC located in the sources reviewed. Current public detail is the OpenStack advisory describing the exploit path; that lowers copy-paste attacker convenience for now, but the bug class is straightforward enough that private weaponization is plausible.
EPSS	No public EPSS value located at time of writing from FIRST sources. Treat this as insufficient data, not reassurance.
KEV status	Not KEV-listed as of 2026-06-04. That removes the strongest urgency amplifier, but does not change the underlying cloud-control-plane risk if Mistral is exposed to tenant users.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` — the important part is `PR:L`. This is authenticated remote exploitation with scope change, not anonymous internet spray-and-pray.
Affected versions	OpenStack lists `>=20.0.0 <20.1.1`, `==21.0.0`, and `==22.0.0` as affected.
Fixed versions	Advisory patches are published for supported branches, but I did not find a publicly listed final tagged maintenance release for the vulnerable `21.0.0` and `22.0.0` lines in the OpenStack releases page at time of writing. For `20.x`, the advisory implies `20.1.1` is fixed.
Scanning / exposure reality	Mistral's documented API runs on port `8989`. I found no public GreyNoise/Censys/Shodan count tied specifically to this CVE in the reviewed sources; operationally, the bigger question is whether your tenant users can reach Mistral at all, because many deployments keep it on internal controller networks.
Disclosure	Public advisory dated 2026-06-03 on `oss-sec`; user-provided disclosure date 2026-06-04 aligns with CVE publication timing.
Reporter / researcher	Reported by Eduardo Gonzalez Gutierrez and Arnaud Morin (OVHcloud) according to OpenStack's advisory.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.1/10)

The decisive friction is authenticated reachability: the attacker needs a valid user context and access to a niche OpenStack service that is often not exposed outside internal or tenant-trusted paths. That keeps this out of CRITICAL for most estates, but once those conditions are met the ability to run code on executor workers and steal service credentials is a real control-plane escalation risk.

HIGH Impact if exploited on an affected, reachable Mistral deployment

MEDIUM Population-wide reachability and internet exposure assumptions across enterprise OpenStack estates

MEDIUM Patched release naming for all supported branches on public release pages

Why this verdict

Downgraded for attacker position: vendor 9.9 assumes the damage path, but exploitation requires authenticated remote access (PR:L), which means the attacker already has a foothold or valid tenant identity.
Downgraded for exposure population: Mistral is a specialized OpenStack workflow service, not a ubiquitous edge service, and many enterprises keep it on internal/controller networks rather than public internet.
Kept HIGH for blast radius: once exploited, this is not a cosmetic RBAC miss; it becomes arbitrary code execution on executor workers with potential service credential theft and cross-service pivoting.

Why not higher?

It is not an unauthenticated internet-edge flaw, and the affected component is not broadly exposed in the same way as VPNs, firewalls, or webmail. The prerequisite chain compounds downward pressure: valid account, Mistral deployed, Mistral reachable, and workers carrying useful credentials.

Why not lower?

The post-exploit impact is too strong for MEDIUM. An ordinary authenticated user can allegedly turn authorization gaps into code execution on control-plane-adjacent workers, and stolen service credentials can widen impact far beyond the original tenant account.

05 · Compensating Control

What to do — in priority order.

Restrict Mistral API reachability — Put the Mistral API behind admin-only or internal-only network paths immediately, and where possible remove tenant/user access until patched. For a HIGH verdict, deploy this compensating control within 30 days; if you have evidence of abuse, treat it as immediate emergency containment.
Disable or gate public resource creation — If your deployment allows policy overrides or API gateway rules, block non-admin creation of public workflows/actions/environments and other upload-capable endpoints. This directly targets the advisory's exploit path and should be in place within 30 days if patching is delayed.
Reduce executor credential value — Rotate and narrow service credentials available to Mistral workers, and remove unused cloud-wide privileges from the worker context. This does not stop code execution, but it sharply reduces the pivot value if exploitation occurs; complete within 30 days.
Hunt for suspicious Mistral object creation — Query audit/API logs for new public workflows, actions, environments, or definitions created by low-privilege users, especially identities that rarely use Mistral. Stand up this detection within 30 days while patch rollout proceeds.

What doesn't work

Perimeter WAF alone doesn't solve this; the exploit uses legitimate authenticated API calls against business logic, not obvious payload signatures.
MFA by itself only protects the front door to the identity plane. It reduces account theft risk but does nothing once a user token is valid.
Version-only scanning alone is not enough. You also need to know whether Mistral is deployed, reachable by tenant users, and actually used.

06 · Verification

Crowdsourced verification payload.

Run this on the target Mistral host or in the service venv/container where the mistral Python package is installed. Invoke as bash check-cve-2026-41283.sh; no root is required if the Python environment is readable, though root may be needed on locked-down appliances. The script prints VULNERABLE, PATCHED, or UNKNOWN and exits 0, 1, or 2 respectively.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-41283.sh
# Determine likely exposure to CVE-2026-41283 based on installed OpenStack Mistral version.
# Exit codes: 0=VULNERABLE, 1=PATCHED, 2=UNKNOWN

set -u

PYTHON_BIN="${PYTHON_BIN:-python3}"

get_version() {
  "$PYTHON_BIN" - <<'PY'
import sys
try:
    try:
        from importlib.metadata import version
    except Exception:
        from importlib_metadata import version  # type: ignore
    print(version("mistral"))
except Exception:
    sys.exit(1)
PY
}

ver_cmp_py='from packaging.version import Version as V
import sys
v=V(sys.argv[1])
expr=sys.argv[2]
if expr=="lt": sys.exit(0 if v < V(sys.argv[3]) else 1)
elif expr=="le": sys.exit(0 if v <= V(sys.argv[3]) else 1)
elif expr=="eq": sys.exit(0 if v == V(sys.argv[3]) else 1)
elif expr=="ge": sys.exit(0 if v >= V(sys.argv[3]) else 1)
elif expr=="gt": sys.exit(0 if v > V(sys.argv[3]) else 1)
else: sys.exit(2)'

ver_test() {
  "$PYTHON_BIN" -c "$ver_cmp_py" "$1" "$2" "$3"
}

VERSION="$(get_version 2>/dev/null || true)"
if [ -z "$VERSION" ]; then
  echo "UNKNOWN - Python package 'mistral' not found in current environment"
  exit 2
fi

# Known affected ranges from OSSA-2026-020:
# >=20.0.0 <20.1.1, ==21.0.0, ==22.0.0
if ver_test "$VERSION" ge "20.0.0" && ver_test "$VERSION" lt "20.1.1"; then
  echo "VULNERABLE - installed mistral version $VERSION is in affected range >=20.0.0 <20.1.1"
  exit 0
fi

if ver_test "$VERSION" eq "21.0.0"; then
  echo "VULNERABLE - installed mistral version $VERSION matches affected version 21.0.0"
  exit 0
fi

if ver_test "$VERSION" eq "22.0.0"; then
  echo "VULNERABLE - installed mistral version $VERSION matches affected version 22.0.0"
  exit 0
fi

# If version is below 20.0.0, unaffected per advisory ranges we have.
if ver_test "$VERSION" lt "20.0.0"; then
  echo "PATCHED - installed mistral version $VERSION is below the published affected ranges"
  exit 1
fi

# Anything newer than the exact vulnerable singletons is treated as patched,
# but note that public release tags for all maintenance lines may lag advisory publication.
if ver_test "$VERSION" ge "20.1.1"; then
  if ! ver_test "$VERSION" eq "21.0.0" && ! ver_test "$VERSION" eq "22.0.0"; then
    echo "PATCHED - installed mistral version $VERSION is not in the published affected ranges"
    exit 1
  fi
fi

echo "UNKNOWN - unable to confidently classify mistral version $VERSION"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify every place Mistral is actually deployed, then answer one question first — can tenant or low-privilege authenticated users reach the Mistral API? If yes, apply a temporary access restriction or endpoint block within the noisgate mitigation SLA of 30 days; if you see suspicious Mistral object creation or any sign of abuse, patch / mitigate immediately, within hours despite the non-KEV status. After containment, move all affected >=20.0.0 <20.1.1, 21.0.0, and 22.0.0 instances onto a fixed build under the noisgate remediation SLA of 180 days, with internet- or tenant-reachable control-plane deployments first in line.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.