A code execution vulnerability in OpenStack Vitrage allows authenticated users to compromise the underlying service host, leading to unauthorized infrastructure access.

The flaw occurs in the _create_query_function within vitrage/graph/query.py. An authenticated user with API access can craft a query that triggers arbitrary code execution under the privileges of the Vitrage service account.

While this exploit requires authentication, the ability to execute code on the host can lead to a complete compromise of the Vitrage service and potentially the broader OpenStack environment. Attackers could gain unauthorized visibility into cloud topology or manipulate infrastructure monitoring data. The CVSS score of 9.1 reflects the high impact on system integrity and confidentiality.

Immediate Action: Update OpenStack Vitrage to the appropriate patched version (12.0.1, 13.0.0, 14.0.0, or 15.0.0).

Proactive Monitoring: Review Vitrage API logs for unusual query patterns and monitor the host for unauthorized process execution stemming from the Vitrage service user.

Compensating Controls: Implement strict Role-Based Access Control (RBAC) to limit API access to only highly trusted users and utilize containerization to isolate the service.

Public Exploit Available: No

Organizations running OpenStack Vitrage should apply the security updates immediately. Although authentication is required, internal threats or compromised low-level credentials could be used to trigger this RCE, making prompt patching essential.