HIGH 7.5

PYSEC-2026-216

Details

In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ironic

Introduced in: 32.0.0 Fixed in: 37.0.0

Fix pip install --upgrade 'ironic>=37.0.0'

References

https://bugs.launchpad.net/ironic/+bug/2154288 [REPORT]
http://www.openwall.com/lists/oss-security/2026/06/06/2 [FIX]
https://wiki.openstack.org/wiki/OSSN/OSSN-0099 [FIX]