YAOOK Security Advisory CVE-2026-46448
- Date: 2026-06-17
- Upstream advisory: https://security.openstack.org/ossa/OSSA-2026-022.html
What are CVE-2026-46448 and how do they affect YAOOK?
Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova’s server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling constraint enforcement, including availability zone, host aggregate, and image trait restrictions. The resulting instance has no Placement allocation, which can lead to compute node resource exhaustion and cross-tenant data persistence on NVMe devices after instance deletion.
Is my cluster vulnerable?
The following images are vulnerable:
- nova images before 1.1.141
- yaook release before 2.4.0
If this image is used in your cluster for the nova-api/nova-scheduler deployment, the cluster is vulnerable.
The image was pre-build ad a private pipeline now published so you can check.
Upgrading
A new stable release will be published according to the release cycle and hotfix releases will be produced starting now. You can upgrade to that release simply by updating your operators.
However, we recommend to add a YAOOK_OP_VERSIONS_OVERRIDE variable to your Nova operator container to pull the image before the YAOOK comprehensive release is ready.
The best way to do this is to set the following in the values.yaml of your nova-operator (make sure to merge this correctly with an existing values.yaml, if you have that).
operator:
extraEnv:
- name: YAOOK_OP_VERSIONS_OVERRIDE
value: |
{
"registry.yaook.cloud/yaook/nova-2023.2": "registry.yaook.cloud/yaook/nova-2023.2:1.1.141",
"registry.yaook.cloud/yaook/nova-2024.1": "registry.yaook.cloud/yaook/nova-2024.1:1.1.141",
"registry.yaook.cloud/yaook/nova-2024.2": "registry.yaook.cloud/yaook/nova-2024.2:1.1.141",
"registry.yaook.cloud/yaook/nova-2025.1": "registry.yaook.cloud/yaook/nova-2025.1:1.1.141"
}If you are not using Helm, you can add the environment variable to the
env section of your nova-operator’s Deployment’s pod template.