CVE-2026-40213
7.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenStack | Cyborg | 5.0.0 < 14.0.1 | affected |
| OpenStack | Cyborg | 15.0.0 < 15.0.1 | affected |
| OpenStack | Cyborg | 16.0.0 < 16.0.1 | affected |
Weaknesses
- CWE-863: CWE-863 Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://bugs.launchpad.net/openstack-cyborg/+bug/2143263
- https://www.openwall.com/lists/oss-security/2026/05/07/6
- https://security.openstack.org/ossa/OSSA-2026-011.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.