Home

Description

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

PUBLISHED Reserved 2026-04-10 | Published 2026-05-07 | Updated 2026-05-07 | Assigner mitre




HIGH: 7.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Problem types

CWE-863 Incorrect Authorization

Product status

Default status
unaffected

5.0.0 (semver) before 14.0.1
affected

15.0.0 (semver) before 15.0.1
affected

16.0.0 (semver) before 16.0.1
affected

References

bugs.launchpad.net/openstack-cyborg/+bug/2143263

www.openwall.com/lists/oss-security/2026/05/07/6

cve.org (CVE-2026-40213)

nvd.nist.gov (CVE-2026-40213)

Download JSON