CVE-2026-40214

Summary

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Affected Software

VendorProductVersion RangeStatus
OpenStackCyborg3.0.0 < 14.0.1affected
OpenStackCyborg15.0.0 < 15.0.1affected
OpenStackCyborg16.0.0 < 16.0.1affected

Weaknesses

  • CWE-282: CWE-282 Improper Ownership Management

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References