OpenStack Vitrage query-parser flaw enables service-host RCE
TL;DR — Patch OpenStack Vitrage immediately; any user with Vitrage API access can trigger code execution on the service host.
What happened
Vitrage is an OpenStack root cause analysis service that correlates alarms and events across an OpenStack deployment to help operators diagnose infrastructure problems. OpenStack's Vulnerability Management Team published OSSA-2026-003 describing CVE-2026-28370, a vulnerability in the Vitrage query parser where a Vitrage API user can trigger code execution as the service's OS user. All deployments exposing the Vitrage API are affected.
Query parsers that evaluate user input as code are a recurring RCE vector in cloud platforms — similar issues have hit Grafana, InfluxDB, and other observability tools that parse query languages without proper sandboxing.
Who is impacted
- Vitrage
< 12.0.1, and releases13.0.0,14.0.0,15.0.0. - All deployments exposing the Vitrage API.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- If you cannot patch immediately, restrict Vitrage API access via network ACLs/security groups.
- Treat this as a service-host compromise risk: review host hardening, credentials available to the service user, and monitor for suspicious query activity.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.