OpenStack Mistral CVSS 9.9 Flaw Allows RCE via Exposed Workflow API

A critical vulnerability in OpenStack Mistral allows unauthenticated attackers to execute arbitrary code on affected deployments when the workflow API is network-accessible. Tracked as CVE-2026-41283, the flaw carries a CVSS score of 9.9—just 0.1 shy of the maximum severity rating.

Mistral is OpenStack's workflow service, used to automate complex multi-step operations across cloud infrastructure. Organizations running private clouds often expose Mistral's API for orchestration tasks, which now presents a significant risk.

Vulnerability Details

The vulnerability affects OpenStack Mistral through version 22.0.0. According to TheHackerWire's analysis, specific API endpoints process input in a way that allows attackers to inject and execute arbitrary code.

The near-maximum CVSS score reflects the worst-case combination:

• Network attack vector - Exploitable remotely
• Low attack complexity - Straightforward to execute
• No privileges required - No authentication needed
• No user interaction - Fully automated exploitation

When Mistral's API is exposed to the network, exploitation is trivial. The attacker only needs direct access to a vulnerable API instance.

Impact Assessment

Successful exploitation grants command execution on the underlying system where Mistral runs. In a typical OpenStack deployment, this means:

• Access to cloud orchestration credentials
• Ability to manipulate workflows affecting production infrastructure
• Potential lateral movement to other OpenStack services
• Exfiltration of sensitive service credentials stored in Mistral configurations

For organizations using Mistral to automate infrastructure provisioning, the attacker essentially gains the same capabilities as the workflow engine itself—which often has elevated privileges across the cloud environment.

This vulnerability follows a pattern we've documented with other cloud platform vulnerabilities where management APIs become the weak point in otherwise well-secured infrastructure.

Who's Affected

Any organization running OpenStack Mistral through version 22.0.0 with the API accessible from untrusted networks. This includes:

• Private cloud deployments with externally accessible management interfaces
• Development and staging environments with relaxed network controls
• Service providers offering OpenStack-based services

The vulnerability is particularly concerning for multi-tenant environments where one compromised API endpoint could affect infrastructure serving multiple customers.

Recommended Mitigations

Until a patch is available:

1. Restrict API access - Ensure Mistral's API endpoints are only accessible from trusted management networks
2. Implement network segmentation - Isolate OpenStack management plane from general network traffic
3. Enable API authentication - Verify Keystone authentication is properly enforced on all Mistral endpoints
4. Monitor API access logs - Alert on requests to Mistral endpoints from unexpected sources
5. Audit workflow definitions - Review existing workflows for signs of tampering

Organizations should treat any externally accessible Mistral deployment as potentially compromised and conduct forensic review.

The Bigger Picture

OpenStack powers significant private cloud infrastructure globally, from telecommunications carriers to research institutions to government agencies. A CVSS 9.9 vulnerability in a core service component represents serious risk to these environments.

The cloud management plane has become an increasingly attractive target. Attackers understand that compromising orchestration services gives them leverage over everything those services manage. We've seen this pattern with Kubernetes vulnerabilities, cloud provider APIs, and now OpenStack workflow engines.

For security teams running OpenStack, this disclosure is a reminder to audit your management plane exposure. The attack surface isn't just the workloads running on your cloud—it's every API that controls those workloads.

If you're running Mistral in production, verify your network architecture restricts API access appropriately. A workflow engine that can provision infrastructure across your organization shouldn't be reachable from the internet.