MEDIUM 6.0

GHSA-6wrm-x65g-hr4p

OpenStack Horizon RC file generation does not escape special characters in project names

Details

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / horizon

Introduced in: 0

No fixed version published yet for horizon (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-55748 [ADVISORY]
https://github.com/openstack/horizon [PACKAGE]
https://launchpad.net/bugs/2152240 [WEB]
https://wiki.openstack.org/wiki/OSSN/OSSN-0097 [WEB]