MEDIUM 5.0

GHSA-mc26-q38v-83gv

OpenStack Glance is affected by Server-Side Request Forgery (SSRF)

Details

OpenStack Glance versions < 29.1.1, >= 30.0.0 < 30.1.1, == 31.0.0 are affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only the glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / glance

Introduced in: 0 Fixed in: 29.2.0

Fix pip install --upgrade 'glance>=29.2.0'

PyPI / glance

Introduced in: 30.0.0 Fixed in: 30.2.0

Fix pip install --upgrade 'glance>=30.2.0'

PyPI / glance

Introduced in: 31.0.0 Fixed in: 31.1.0

Fix pip install --upgrade 'glance>=31.1.0'

References

https://nvd.nist.gov/vuln/detail/CVE-2026-34881 [ADVISORY]
https://bugs.launchpad.net/glance/+bug/2138602 [WEB]
https://github.com/openstack/glance [PACKAGE]
https://security.openstack.org/ossa/OSSA-2026-004.html [WEB]