CVE-2026-49299

EUVD-2026-33074
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
5.3 MEDIUM
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
openstackneutron
26.0.0 ≤
𝑥
< 26.0.4
CNA
openstackneutron
27.0.0 ≤
𝑥
< 27.0.3
CNA
openstackneutron
28.0.0 ≤
𝑥
< 28.0.1
CNA
Debian logo
Debian Releases
Debian Product
Codename
neutron
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
2:28.0.0-4
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://bugs.launchpad.net/bugs/2150132
https://review.opendev.org/c/openstack/neutron/+/989099
https://www.openwall.com/lists/oss-security/2026/05/28/8