CVE-2026-41283
Publication date 4 June 2026
Last updated 18 June 2026
Ubuntu priority
Description
OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mistral | 26.04 LTS resolute |
Fixed 22.0.0-0ubuntu1.1
|
| 25.10 questing |
Fixed 21.0.0-0ubuntu1.1
|
|
| 24.04 LTS noble |
Fixed 18.0.1-0ubuntu1.1
|
|
| 22.04 LTS jammy |
Fixed 14.0.0-0ubuntu1.1
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
Notes
federicoquattrin
xenial, bionic and focal are vulnerable to the broken access control issue described as impact #1 in LP#2147178, but not vulnerable to the RCE described as impact #2 in LP#2147178. The vulnerable component to the RCE was introduced in version 12.0.0.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
9.9 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8422-1
- Mistral vulnerability
- 11 June 2026