Introduction
A policy enforcement bypass in OpenStack Mistral's REST API V2 allows any authenticated user to create public workflows containing arbitrary code and execute them on Mistral executor workers, with the ability to exfiltrate service credentials that can unlock lateral movement across an entire OpenStack deployment. Disclosed on June 3, 2026 via OSSA-2026-020 and published in the NVD the following day, CVE-2026-41283 carries a CVSS score of 9.9 and affects Mistral versions spanning four active OpenStack release series.
Mistral is the workflow service within the OpenStack ecosystem, enabling users to define and execute multi-step processes using YAML-based workflow definitions via a REST API. It is commonly used for administrator tasks related to managing clusters, deploying distributed software at scale, and orchestrating operations that span multiple OpenStack components. Given OpenStack's position as the leading open source cloud computing platform with a market estimated at approximately USD 30.11 billion in 2025, Mistral deployments are present across a significant number of enterprise and service provider environments.
Technical Information
Root Cause: Incorrect Authorization (CWE-863)
CVE-2026-41283 is classified under CWE-863: Incorrect Authorization, defined by MITRE as occurring when "the product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check." In Mistral's case, several REST API V2 endpoints fail to enforce access policies entirely. The result is a complete bypass of authorization checks: any authenticated user who can reach the Mistral API can perform actions that should be restricted to administrators or specifically authorized roles.
The vulnerability was assigned by MITRE (source: [email protected]) and published in the NVD on June 4, 2026. The official advisory, OSSA-2026-020, was posted to the oss-security mailing list on June 3, 2026 by Goutham Pacha Ravi of the OpenStack Vulnerability Management Team.
Two Exploitation Paths
The advisory identifies two primary exploitation paths enabled by the policy bypass:
1. Unauthorized Public Resource Creation: An attacker can create public resources (such as workflows) without proper authorization. In Mistral, "public" resources are visible and accessible to all users in the OpenStack deployment, making them an effective vector for distributing malicious payloads across tenants.
2. Arbitrary Code Execution: Several Mistral API endpoints permit code execution. By bypassing policy enforcement, an attacker can upload arbitrary code that executes directly on Mistral executor workers. The advisory explicitly confirms: "An attacker could extract sensitive data including service credentials from the worker."
Full Exploitation Chain
The attack proceeds through a clear sequence:
- An authenticated user (even one with minimal privileges) accesses an exposed Mistral API endpoint.
- The attacker bypasses the broken policy enforcement on the REST API V2 endpoints.
- The attacker creates a public workflow containing arbitrary code execution instructions.
- The workflow is triggered, and the code executes on a Mistral executor worker.
- Because the executor worker holds service credentials used for Mistral's interactions with other OpenStack services (compute, storage, networking), the attacker exfiltrates these credentials.
- Using the stolen credentials, the attacker achieves lateral movement across the OpenStack deployment.
This chain is particularly concerning in multi-tenant environments, where a low-privilege user in one tenant could potentially compromise service credentials that span tenant boundaries.
Scope and Impact
The CVSS 9.9 score reflects the combination of factors at play: network-accessible attack vector, low attack complexity, low privileges required, and the ability to impact confidentiality, integrity, and availability of the target system and potentially other systems in the deployment. The credential exfiltration component is what elevates this from a standard RCE to a deployment-wide compromise scenario.
The vulnerability was discovered and responsibly reported by Eduardo Gonzalez Gutierrez (Independent) and Arnaud Morin of OVHcloud.
Affected Systems and Versions
The following Mistral versions are affected:
| Version Range | OpenStack Release Series | Status |
|---|---|---|
| >=20.0.0 and <20.1.1 | 2025.1 (Epoxy) | Affected |
| ==21.0.0 | 2025.2 (Flamingo) | Affected |
| ==22.0.0 | 2026.1 (Gazpacho) / 2026.2 (Hibiscus) | Affected |
| <20.0.0 | Prior releases | Not affected |
Deployments that do not expose the Mistral API to the network are not directly affected by the remote code execution vector, though authenticated users with internal network access could still exploit the vulnerability. The advisory explicitly states: "Deployments exposing the Mistral API are affected."
The OpenStack VMT coordinated 32 patches across four release series (Epoxy, Flamingo, Gazpacho, Hibiscus), with 8 patches per series available via the OpenDev Gerrit review system. Organizations should identify their deployed release series and apply all corresponding patches. As an interim measure, restricting network access to Mistral API endpoints is recommended, along with rotation of all service credentials accessible to Mistral executor workers.
Vendor Security History
This is at least the fourth CVE affecting OpenStack Mistral, and the trajectory shows a clear escalation in severity:
| CVE | Year | Type | Severity |
|---|---|---|---|
| CVE-2018-16848 | 2018 | Denial of Service via specially crafted workflow | Moderate |
| CVE-2019-3866 | 2019 | Information exposure (clear text credentials in world-readable log files) | Moderate |
| CVE-2021-4472 | 2021 | Local file inclusion via "Create Workbook" in mistral-dashboard | Moderate |
| CVE-2026-41283 | 2026 | Policy enforcement bypass, arbitrary RCE, credential exfiltration | Critical (9.9) |
The shift from moderate-severity issues to a CVSS 9.9 critical RCE is notable. CVE-2019-3866 also involved improper access controls (world-readable log files exposing credentials), suggesting that authorization enforcement has been a persistent weakness in Mistral's design rather than an isolated incident.
Looking at the broader OpenStack security landscape in 2026, the VMT has issued multiple advisories across various components, including policy bypasses in Neutron (OSSA-2026-016), authorization bypasses in Keystone (OSSA-2026-015), and RCE in Ironic when the Anaconda driver is enabled (OSSA-2026-012). This pattern indicates ongoing security challenges across the OpenStack ecosystem, though the project's coordinated disclosure and patching process remains structured and responsive.
The key tension worth noting: OpenStack's incident response process is mature (private patch review, coordinated advisory publication, Gerrit-based patch distribution), but the recurring nature of authorization weaknesses in Mistral suggests the component's security architecture would benefit from a fundamental review rather than continued point patching.
References
- NVD: CVE-2026-41283
- OSSA-2026-020: OpenStack Mistral Policy Enforcement Bypass (oss-security)
- OSSA-2026-020 Advisory (SecLists)
- OpenStack Mistral GitHub Tags
- OpenStack Security Advisories
- Mistral REST API V2 Documentation
- Mistral Workflow Service Documentation
- CWE-863: Incorrect Authorization
- OpenStack Mistral CVE History (OpenCVE)
- CVE-2021-4472 Detail (NVD)
- CVE-2019-3866 Detail (NVD)
- CVE-2018-16848 Record
- CISA Known Exploited Vulnerabilities Catalog



