Home

Description

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

PUBLISHED Reserved 2026-04-10 | Published 2026-05-07 | Updated 2026-05-07 | Assigner mitre




MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-282 Improper Ownership Management

Product status

Default status
unaffected

3.0.0 (semver) before 14.0.1
affected

15.0.0 (semver) before 15.0.1
affected

16.0.0 (semver) before 16.0.1
affected

References

bugs.launchpad.net/openstack-cyborg/+bug/2144056

www.openwall.com/lists/oss-security/2026/05/07/6

cve.org (CVE-2026-40214)

nvd.nist.gov (CVE-2026-40214)

Download JSON