CVE-2026-46448
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
5.4
MEDIUM
CVSS 3.1
Description
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
How to fix CVE-2026-46448
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Debian/nova—no fix listed
- PyPI/nova—no fix listed
Is CVE-2026-46448 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46448.
Affected packages (2)
- from 0
- >= 18.0.0, <= 31.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |