CVE-2026-28370 is a critical vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as 'Eval Injection') found in OpenStack Vitrage's query parser component. The vulnerability arises from unsafe handling of user-supplied input in the _create_query_function method within vitrage/graph/query.py, which dynamically evaluates code based on query parameters. Authenticated users with access to the Vitrage API can craft malicious queries that trigger arbitrary code execution on the host system under the privileges of the Vitrage service user. This flaw affects all deployments exposing the Vitrage API running versions prior to 12.0.1 and specific versions 13.0.0, 14.0.0, and 15.0.0. The vulnerability allows attackers to bypass normal access controls and execute arbitrary commands, potentially leading to unauthorized access, data leakage, service disruption, or full system compromise. The vulnerability has a CVSS v3.1 base score of 9.1, indicating critical severity with network attack vector, low attack complexity, high privileges required, no user interaction, and scope change. No public exploits have been reported yet, but the nature of the vulnerability and its impact make it a high-risk issue for organizations using OpenStack Vitrage for cloud infrastructure monitoring and root cause analysis.

The impact of CVE-2026-28370 is severe for organizations deploying OpenStack Vitrage, especially those exposing the Vitrage API to authenticated users. Exploitation can lead to arbitrary code execution on the host running the Vitrage service, potentially allowing attackers to escalate privileges, access sensitive data, manipulate monitoring results, disrupt cloud infrastructure monitoring, or pivot to other internal systems. This compromises the confidentiality, integrity, and availability of the Vitrage service and potentially the broader cloud environment it monitors. Given Vitrage's role in root cause analysis and event correlation in OpenStack clouds, a compromised Vitrage instance can undermine trust in monitoring data and cloud operational security. Organizations relying on Vitrage for critical cloud management functions face risks of operational disruption and data breaches. The vulnerability's network accessibility and low complexity of exploitation increase the likelihood of targeted attacks once exploit code becomes available.

To mitigate CVE-2026-28370, organizations should immediately upgrade OpenStack Vitrage to a fixed version beyond 12.0.1 or versions later than 15.0.0 where the vulnerability is patched. If upgrading is not immediately feasible, restrict access to the Vitrage API to trusted and authenticated users only, ideally limiting API exposure to internal networks or VPNs. Implement strict API authentication and authorization controls to minimize the risk of malicious query injection. Employ runtime application monitoring and intrusion detection to identify anomalous query patterns or unexpected code execution behaviors. Review and harden the configuration of the Vitrage service user to limit privileges on the host system, reducing the impact of potential exploitation. Additionally, consider deploying web application firewalls (WAFs) or API gateways with custom rules to detect and block suspicious query inputs targeting the vulnerable function. Regularly audit logs for unusual API activity and prepare incident response plans for potential exploitation scenarios.