{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-34881", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-31T05:29:07.975Z", "datePublished": "2026-03-31T05:29:08.449Z", "dateUpdated": "2026-03-31T13:47:36.130Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Glance", "vendor": "OpenStack", "versions": [{"lessThan": "29.1.1", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "30.1.1", "status": "affected", "version": "30.0.0", "versionType": "semver"}, {"status": "affected", "version": "31.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T05:33:03.044Z"}, "references": [{"url": "https://bugs.launchpad.net/glance/+bug/2138602"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-004.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"references": [{"url": "https://bugs.launchpad.net/glance/+bug/2138602", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:47:30.640583Z", "id": "CVE-2026-34881", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:47:36.130Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34881", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:47:30.640583Z"}}}], "references": [{"url": "https://bugs.launchpad.net/glance/+bug/2138602", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:47:25.950Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenStack", "product": "Glance", "versions": [{"status": "affected", "version": "0", "lessThan": "29.1.1", "versionType": "semver"}, {"status": "affected", "version": "30.0.0", "lessThan": "30.1.1", "versionType": "semver"}, {"status": "affected", "version": "31.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://bugs.launchpad.net/glance/+bug/2138602"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-004.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T05:33:03.044Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34881", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:47:36.130Z", "dateReserved": "2026-03-31T05:29:07.975Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-31T05:29:08.449Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin."}], "id": "CVE-2026-34881", "lastModified": "2026-03-31T15:16:20.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-31T06:16:01.130", "references": [{"source": "cve@mitre.org", "url": "https://bugs.launchpad.net/glance/+bug/2138602"}, {"source": "cve@mitre.org", "url": "https://security.openstack.org/ossa/OSSA-2026-004.html"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://bugs.launchpad.net/glance/+bug/2138602"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,29.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[30.0.0,30.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "31.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Glance", "source": "cna", "vendor": "OpenStack"}, "product": "glance", "vendor": "openstack"}], "analysis": {"en": {"generated_at": "2026-03-31T07:21:08.091653+00:00", "value": {"mitigation_remediation": ["Upgrade OpenStack Glance to a version later than 29.1.1, 30.1.1, or 31.0.1 to eliminate the SSRF flaw.", "If an upgrade cannot be performed immediately, restrict image import capabilities to trusted external URLs and monitor for attempted redirects.", "Disable the optional ovf_process import plugin if it is not required for your environment."], "summary": {"action": "Patch", "impact": "Server-side request forgery enabling internal network access"}, "threat_synthesis": {"affected_systems": "The problem exists in OpenStack Glance before version 29.1.1, in the 30.x series up to but not including 30.1.1, and in the 31.0.0 build. Any deployment that uses the default image import functions during those releases is vulnerable. Versions newer than 29.1.0, newer than 30.0.0 but earlier than 30.1.0, and the 31.0.0 release need to be reviewed.", "description_and_impact": "This vulnerability is a server\u2011side request forgery that lets an authenticated user trick the image import service into requesting arbitrary internal resources. By sending a malicious URL that redirects through multiple hops, the attacker can bypass URL validation checks and reach internal endpoints normally hidden behind the glance front\u2011end. The attacker can exfiltrate internal network information or internal services that may expose sensitive data. Since the flaw is tied to the web\u2011download and glance\u2011download import methods, the impact is limited to users capable of creating or importing images.", "risk_and_exploitability": "With a CVSS base score of 5.0 the issue is considered moderate. No EPSS data are present, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs to be authenticated to Glance and to invoke an image import operation. If an internal redirect is followed, the service will issue the request from the host, allowing lateral discovery or exploitation of other internal resources."}}}}, "created": "2026-03-31T19:56:11.956160+00:00", "title": "OpenStack Glance SSRF via HTTP Redirects in Image Import", "updated": "2026-03-31T20:39:27.810260+00:00", "vendors": ["openstack", "openstack$PRODUCT$glance"]}