CVE-2026-34881: OpenStack Glance is affected by Server-Side Request Forgery (SSRF)

March 31, 2026 (updated April 1, 2026)

OpenStack Glance versions < 29.1.1, >= 30.0.0 < 30.1.1, == 31.0.0 are affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only the glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.

References

bugs.launchpad.net/glance/+bug/2138602
github.com/advisories/GHSA-mc26-q38v-83gv
github.com/openstack/glance
nvd.nist.gov/vuln/detail/CVE-2026-34881
security.openstack.org/ossa/OSSA-2026-004.html

Code Behaviors & Features

Detect and mitigate CVE-2026-34881 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →