CVE-2026-40214

EUVD-2026-28456

07.05.2026, 22:16

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Debian Releases

Debian Product

Codename

cyborg

forky	16.0.0+git+2026.04.26.b8edfa06f1-1 fixed
sid	16.0.0+git+2026.04.26.b8edfa06f1-1 fixed
trixie	vulnerable
trixie (security)	14.0.0-3+deb13u1 fixed

Common Weakness Enumeration

CWE-282 - Improper Ownership Management
The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

References

https://bugs.launchpad.net/openstack-cyborg/+bug/2144056

https://security.openstack.org/ossa/OSSA-2026-011.html

https://www.openwall.com/lists/oss-security/2026/05/07/6