OpenStack Mistral versions 20.0.0, 21.0.0, and 22.0.0 contain an authorization bypass vulnerability (CWE-863) that permits arbitrary remote code execution via exposed API endpoints. The flaw allows attackers with low privileges to execute code remotely, potentially leading to credential theft and full system compromise. The CVSS 3.1 base score is 9.9, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and complete impact on confidentiality, integrity, and availability. No official patch or remediation level has been published yet, and no known exploits are reported in the wild.

Successful exploitation can result in arbitrary remote code execution, enabling attackers to exfiltrate service credentials and fully compromise the affected OpenStack Mistral service. This impacts confidentiality, integrity, and availability severely, potentially allowing attackers to control the system and access sensitive data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the Mistral API to trusted users only and monitor for unauthorized access attempts. Avoid exposing the API publicly to reduce risk.