CVE-2026-49299

EUVD-2026-33074
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
5.3 MEDIUM
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
openstackneutron
26.0.0 ≤
𝑥
< 26.0.4
CNA
openstackneutron
27.0.0 ≤
𝑥
< 27.0.3
CNA
openstackneutron
28.0.0 ≤
𝑥
< 28.0.1
CNA
Debian logo
Debian Releases
Debian Product
Codename
neutron
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
2:28.0.0-9
fixed
sid
2:28.0.0-9
fixed
trixie
2:26.0.3-0+deb13u2
fixed
trixie (security)
2:26.0.3-0+deb13u2
fixed