I forgot to send the advisory also here, but I guess, for now, this list is not used by many. Hi yaook and OpenStack Users, today a new security advisory was published by OpenStack and yaook now has a fix for it. Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the ‚web-download‘ and ‚glance-download‘ import methods are subject to this vulnerability, as is the optional (not enabled by default) ‚ovf_process‘ image import plugin. The following images are vulnerable: glance images BEFORE 1.1.156 Yaook versions <= v1.4.0 and 1.5.0 If any of these images are used in your cluster, the cluster is vulnerable. A new stable release 1.4.1 will be published today. You can upgrade to that release simply by updating your operators. Release 1.5.1 will also have this fix. If you don’t want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed): values: operator: extraEnv: - name: YAOOK_OP_VERSIONS_OVERRIDE value: | registry.yaook.cloud/yaook/glance-2025.1: registry.yaook.cloud/yaook/glance-2025.1:1.1.156 See also https://yaook.cloud/security-advisories-ossa-2026-004/ Best regards Stefan