漏洞概述 漏洞名称: OpenStack Mistral 策略执行绕过 CVE编号: CVE-2026-41283 发布日期: 2026年6月3日 描述: 多个Mistral API端点未强制执行访问策略,允许任何授权用户创建公共资源并上传任意代码,这些代码在Mistral执行器上运行。攻击者可以提取敏感数据,包括来自执行器的服务凭证。 影响范围 受影响版本: - Mistral: >=20.0.0, =21.0.0, <22.0.0 修复方案 补丁链接: - https://review.opendev.org/991416 (2025.1/epoxy) - https://review.opendev.org/991417 (2025.1/epoxy) - https://review.opendev.org/991418 (2025.1/epoxy) - https://review.opendev.org/991419 (2025.1/epoxy) - https://review.opendev.org/991420 (2025.1/epoxy) - https://review.opendev.org/991421 (2025.1/epoxy) - https://review.opendev.org/991422 (2025.1/epoxy) - https://review.opendev.org/991423 (2025.1/epoxy) - https://review.opendev.org/991488 (2025.2/flamingo) - https://review.opendev.org/991489 (2025.2/flamingo) - https://review.opendev.org/991410 (2025.2/flamingo) - https://review.opendev.org/991411 (2025.2/flamingo) - https://review.opendev.org/991412 (2025.2/flamingo) - https://review.opendev.org/991413 (2025.2/flamingo) - https://review.opendev.org/991414 (2025.2/flamingo) - https://review.opendev.org/991480 (2026.1/gazpacho) - https://review.opendev.org/991481 (2026.1/gazpacho) - https://review.opendev.org/991482 (2026.1/gazpacho) - https://review.opendev.org/991483 (2026.1/gazpacho) - https://review.opendev.org/991484 (2026.1/gazpacho) - https://review.opendev.org/991485 (2026.1/gazpacho) - https://review.opendev.org/991486 (2026.1/gazpacho) - https://review.opendev.org/991487 (2026.1/gazpacho) - https://review.opendev.org/991392 (2026.2/hibiscus) - https://review.opendev.org/991393 (2026.2/hibiscus) - https://review.opendev.org/991394 (2026.2/hibiscus) - https://review.opendev.org/991395 (2026.2/hibiscus) - https://review.opendev.org/991396 (2026.2/hibiscus) - https://review.opendev.org/991397 (2026.2/hibiscus) - https://review.opendev.org/991398 (2026.2/hibiscus) - https://review.opendev.org/991399 (2026.2/hibiscus) 参考链接 Launchpad Bug CVE MITRE 其他信息 报告者: Eduardo Gonzalez Gutierrez 和 Arnaud Morin (0VmCloud) OpenStack Vulnerability Management Team: 链接