Hi yaook and OpenStack Users, today a new security advisory was published by OpenStack and yaook now has a fix for it. Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the ‚web-download‘ and ‚glance-download‘ import methods are subject to this vulnerability, as is the optional (not enabled by default) ‚ovf_process‘ image import plugin. The following images are vulnerable: glance images BEFORE 1.1.156 Yaook versions <= v1.4.0 and 1.5.0 If any of these images are used in your cluster, the cluster is vulnerable. A new stable release 1.4.1 will be published today. You can upgrade to that release simply by updating your operators. Release 1.5.1 will also have this fix. If you don’t want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed): values: operator: extraEnv: - name: YAOOK_OP_VERSIONS_OVERRIDE value: | registry.yaook.cloud/yaook/glance-2025.1: registry.yaook.cloud/yaook/glance-2025.1:1.1.156 See also https://yaook.cloud/security-advisories-ossa-2026-004/ Best regards Stefan -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann@cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/