OpenStack Vitrage patches query-parser RCE (CVE-2026-28370)

What happened

OpenStack’s Vulnerability Management Team published OSSA-2026-003 describing CVE-2026-28370, a vulnerability in the OpenStack Vitrage query parser. According to the advisory, a user who is allowed to access the Vitrage API may be able to trigger code execution on the Vitrage service host as the user account the Vitrage service runs under.

Who is impacted

The advisory states affected versions include Vitrage < 12.0.1, and the specific releases 13.0.0, 14.0.0, and 15.0.0. It notes that all deployments exposing the Vitrage API are affected, because an API user can potentially reach the vulnerable query parsing path.

What to do now

• Apply the upstream patches referenced by OSSA-2026-003 for your deployed OpenStack stable branch (patches are provided via OpenDev code reviews for multiple branches).
• If you cannot patch immediately, restrict access to the Vitrage API (network ACLs / security groups / reverse-proxy auth) to minimize the set of users who can send queries.
• Treat this as a service-host compromise risk (code execution as the Vitrage service user): review host hardening, credentials available to the service user, and monitor for suspicious Vitrage API query activity.

Additional Information

• Advisory identifier: OSSA-2026-003 (OpenStack Vulnerability Management Team)
• CVE: CVE-2026-28370
• Patch references in the advisory include OpenDev review IDs: 962671, 962713, 962712, 962646, 962658, 962617.