CVE-2026-28370 is a critical vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as 'Eval Injection') found in OpenStack Vitrage's query parser component. The flaw exists in the _create_query_function method within vitrage/graph/query.py, where user-supplied input is dynamically evaluated without adequate sanitization or neutralization. This allows an authenticated user with access to the Vitrage API to inject malicious code that gets executed on the Vitrage service host with the privileges of the Vitrage service process. The vulnerability affects multiple versions of Vitrage prior to 12.0.1, 13.0.0, 14.0.0, and 15.0.0, impacting all deployments exposing the API. Exploitation requires authentication but no additional user interaction. The vulnerability can lead to unauthorized code execution, enabling attackers to compromise the host system, escalate privileges, access sensitive data, disrupt service availability, and potentially pivot to other parts of the cloud infrastructure. Although no public exploits have been reported yet, the critical CVSS score of 9.1 reflects the high risk posed by this vulnerability due to its ease of exploitation over the network and severe impact on confidentiality, integrity, and availability. The vulnerability underscores the risks of unsafe dynamic code evaluation in cloud management platforms and highlights the need for secure coding practices and input validation.

The impact of CVE-2026-28370 is severe for organizations running OpenStack Vitrage, particularly those exposing the Vitrage API to authenticated users. Successful exploitation allows attackers to execute arbitrary code on the host system with the privileges of the Vitrage service, which can lead to full system compromise. This can result in unauthorized access to sensitive cloud management data, disruption or manipulation of cloud topology and alarms, and potential lateral movement within the cloud environment. The compromise of Vitrage could undermine the security monitoring and root cause analysis capabilities of OpenStack deployments, increasing the risk of undetected attacks and prolonged breaches. Given the critical nature of this vulnerability and the widespread use of OpenStack in cloud infrastructures globally, the potential for significant operational disruption, data breaches, and loss of trust is high. Organizations without timely mitigation may face increased risk of targeted attacks, especially in environments where Vitrage is exposed to multiple users or integrated with other cloud services.

To mitigate CVE-2026-28370, organizations should immediately upgrade OpenStack Vitrage to fixed versions 12.0.1 or later, 13.0.1 or later, 14.0.1 or later, or 15.0.1 or later once available. Until patches are applied, restrict access to the Vitrage API to trusted and minimal user groups, enforcing strict authentication and authorization controls. Implement network segmentation and firewall rules to limit exposure of the Vitrage API endpoint, ideally restricting it to internal management networks. Conduct thorough input validation and sanitization on any user-supplied queries interacting with Vitrage, and consider disabling or restricting dynamic query features if feasible. Monitor Vitrage service logs and host systems for unusual activity indicative of exploitation attempts, such as unexpected code execution or privilege escalations. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to detect and block suspicious behaviors. Finally, review and harden the overall OpenStack deployment security posture, including regular vulnerability assessments and incident response readiness.