This vulnerability (CVE-2026-42997) in OpenStack Ironic relates to CWE-669, which concerns incorrect resource transfer between security spheres. Specifically, during the import process, a user invoking molds can cause authorization credentials—either a time-limited Keystone token or basic credentials—to be forwarded to a remote endpoint. These credentials grant access to all OpenStack services that Ironic is authorized to use, potentially exposing sensitive access tokens. The vulnerability affects multiple versions prior to 35.0.1, with fixed versions identified as 26.1.6, 29.0.5, 32.0.1, and 35.0.1. The CVSS 3.1 score is 7.7, indicating high severity, with network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality impact but no integrity or availability impact. No vendor advisory or patch links are provided in the input data.

Exploitation of this vulnerability could lead to unauthorized disclosure of sensitive credentials (Keystone tokens or basic credentials) to remote endpoints. This exposure could allow an attacker with some privileges to gain access to all OpenStack services authorized for Ironic, resulting in a significant confidentiality breach. There is no indication of impact on integrity or availability. No known exploits in the wild have been reported.

Fixed versions are available: 26.1.6, 29.0.5, 32.0.1, and 35.0.1. Users of OpenStack Ironic should upgrade to one of these versions to remediate the vulnerability. Patch status is not explicitly confirmed in the vendor advisory content provided, so users should verify the current remediation guidance from the official OpenStack security advisories. No other mitigation or temporary fixes are indicated in the data.