CVE-2026-40214

Sažetak

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Reference

https://bugs.launchpad.net/openstack-cyborg/+bug/2144056
https://security.openstack.org/ossa/OSSA-2026-011.html
https://www.openwall.com/lists/oss-security/2026/05/07/6

CVSS

Base:	6.3
Impact:	3.4
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Zadnje važnije ažuriranje

08-05-2026 - 16:16

Objavljeno

07-05-2026 - 22:16