EXECUTIVE SUMMARY:
CVE-2026-41283 with a CVSS score of 9.9 is a critical policy bypass vulnerability in the OpenStack Mistral workflow service, affecting all Mistral deployments on the Epoxy, Flamingo, and Gazpacho release branches that have not yet applied the vendor updates. The flaw stems from missing policy validations across several Mistral API endpoints, allowing any authenticated tenant to create public resources and upload arbitrary code that runs on the executor workers. An attacker needs only a valid user account—no administrative privileges—and can exploit the weakness via a standard HTTPS API call to the vulnerable endpoint, supplying a malicious script as the resource payload. Successful exploitation results in arbitrary code execution on the worker nodes, enabling the adversary to harvest sensitive configuration data, including service credentials, and to pivot within the cloud infrastructure. Business impact includes potential data breach, credential leakage, and disruption of cloud workloads, which can lead to loss of customer trust, regulatory penalties, and operational downtime. Exploitation requires that the target environment permit authenticated API access and that the vulnerable policy checks remain unpatched.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41283 with a CVSS score of 9.9 is a critical policy bypass vulnerability in the OpenStack Mistral workflow service, affecting all Mistral deployments on the Epoxy, Flamingo, and Gazpacho release branches that have not yet applied the vendor updates. The flaw stems from missing policy validations across several Mistral API endpoints, allowing any authenticated tenant to create public resources and upload arbitrary code that runs on the executor workers. An attacker needs only a valid user account—no administrative privileges—and can exploit the weakness via a standard HTTPS API call to the vulnerable endpoint, supplying a malicious script as the resource payload. Successful exploitation results in arbitrary code execution on the worker nodes, enabling the adversary to harvest sensitive configuration data, including service credentials, and to pivot within the cloud infrastructure. Business impact includes potential data breach, credential leakage, and disruption of cloud workloads, which can lead to loss of customer trust, regulatory penalties, and operational downtime. Exploitation requires that the target environment permit authenticated API access and that the vulnerable policy checks remain unpatched.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/mistral-policy-bypass-flaw/