HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44393Published Modified CNA mitre

CVE-2026-44393: An issue was discovered in OpenStack oslo

An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. Any certificate signed by the deployment CA is accepted regardless of hostname, allowing an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a TLS hostname verification bypass in OpenStack oslo.messaging versions 1.0.0 through 17.3.0. The vulnerability is reachable over the network without authentication, but exploiting it requires the attacker to intercept control-plane traffic between OpenStack services and the RabbitMQ broker (a high-complexity position). A successful man-in-the-middle attacker can read and tamper with RPC and notification messages passing between all OpenStack services using the affected driver. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built OpenStack service images that bundle oslo.messaging. Any image found to carry an affected version (1.0.0 through 17.3.0) of the library is flagged immediately.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.4 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears in the oslo.messaging release stream. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be positioned to intercept network traffic between OpenStack services and the RabbitMQ broker over TLS, meaning over-the-network access to control-plane traffic is required.

  • AuthenticationNot required

    No credentials or account are needed to carry out the man-in-the-middle interception; possession of any CA-signed certificate is sufficient.

  • Victim interactionNot required

    No user or administrator action is required; exploitation occurs passively as OpenStack services make routine connections to the broker.

  • Attack complexityDetail

    Attack complexity is high because the attacker must first achieve a network position capable of intercepting TLS control-plane traffic, which requires specific infrastructure access or a prior foothold.

Blast Radius

  • Reads plaintext RPC call payloads and notification messages exchanged between all OpenStack services using oslo.messaging with RabbitMQ over TLS, exposing credentials, tokens, and operational data carried in those messages.
  • Modifies RPC requests and responses in transit, allowing the attacker to inject malicious instructions into OpenStack service workflows or corrupt task queues.
  • Impersonates the RabbitMQ broker to selectively drop, replay, or reorder messages, disrupting coordination between OpenStack control-plane services.

How HarborGuard Handles This

Available on HarborGuard: detection for this advisory is active across all customer environments, with affected images flagged within minutes of the CVE entering upstream feeds. Because no patched version of oslo.messaging exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a rebuild automatically the moment upstream publishes a fix (with a PR opened against affected workloads for customers who have auto-remediation enabled). In the interim, compensating controls worth considering include network-policy isolation that restricts which hosts can reach RabbitMQ broker ports, mutual TLS with strict certificate pinning enforced at the load-balancer or proxy layer in front of the broker, and egress filtering on OpenStack control-plane nodes to prevent unexpected broker connections. HarborGuard surfaces the finding with CVSS 7.4 HIGH scoring and routes it according to each environment's compliance policy so the right team can act on these mitigations without delay.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References