YAOOK Security Advisory for OSSA-2026-004

• Date: 2026-03-19
• Upstream advisory: https://security.openstack.org/ossa/OSSA-2026-004.html
• Upstream bug report: https://bugs.launchpad.net/glance/+bug/2138602

What is OSSA-2026-004 and how does it affect YAOOK?

Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user can
bypass URL validation checks and redirect to internal services.

Only glance image import functionality is affected. In particular, the ‚web-download‘ and ‚glance-download‘ import methods are subject to this vulnerability, as is the optional (not enabled by default) ‚ovf_process‘ image import plugin.

Is my cluster vulnerable?

The following images are vulnerable:

• glance images BEFORE 1.1.156
• Yaook versions <= v1.4.0 and 1.5.0

If any of these images are used in your cluster, the cluster is vulnerable.

Upgrading

A new stable release 1.4.1 has been published today. You can upgrade to that release simply by updating your operators.

Release 2.0.0 will also have this fix.

If you don’t want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed):

values:
  operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
      value: |
        registry.yaook.cloud/yaook/glance-2025.1: registry.yaook.cloud/yaook/glance-2025.1:1.1.156