This page lists publicly disclosed CVE vulnerabilities affecting osc open_ondemand (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-26002 | Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible. | [email protected] | 6.3 | 0.53% | 2026-03-04 | 2026-03-18 |
| CVE-2025-66029 | Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting users connect to it. Maintainers anticipate a patch in a 4.1 release. Workarounds exist for 4.0.x versions. Using `custom_location_directives` in `ood_portal.yml` in version 4.0.x (not available for versions below 4.0) c | [email protected] | 7.6 | 0.17% | 2025-12-17 | 2026-02-18 |
| CVE-2020-36247 | Open OnDemand before 1.5.7 and 1.6.x before 1.6.22 allows CSRF. | [email protected] | 8.8 | 0.43% | 2021-02-19 | 2024-11-21 |