=================================================================OSSA-2026-011: Multiple access control vulnerabilities in Cyborg accelerator management
=================================================================
:Date: May 07, 2026
:CVE: CVE-2026-40213,
CVE-2026-40214
Affects
~~~~~~~
- Cyborg: >=3.0.0 <14.0.1, >=15.0.0 <15.0.1, >=16.0.0 <16.0.1
Description
~~~~~~~~~~~
Sean Mooney from Red Hat reported multiple access control
vulnerabilities in OpenStack Cyborg. Default policy rules for device,
deployable, and attribute API endpoints use an unconditional allow check
that grants access to any authenticated user regardless of roles or
project scope (CVE-2026-40213). Separately, Accelerator Request (ARQ)
resources lack project ownership enforcement, allowing any authenticated
user to enumerate, delete, or manipulate ARQs belonging to other
projects (CVE-2026-40214). All Cyborg deployments are affected.
Patches ~~~~~~~ - https://review.opendev.org/c/openstack/cyborg/+/987698 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987699 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987700 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987701 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987702 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987703 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987692 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987693 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987694 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987695 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987696 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987697 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987687 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987688 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987689 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987690 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987691 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987680 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987681 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987682 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987683 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987684 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987685 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987686 (2026.2/hibiscus) Credits ~~~~~~~ - Sean Mooney from Red Hat (CVE-2026-40213, CVE-2026-40214) References ~~~~~~~~~~ - https://launchpad.net/bugs/2143263 - https://launchpad.net/bugs/2144056 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40213 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40214 Notes ~~~~~ - CVE-2026-40213 (policy bypass) affects versions 5.0.0 and later. CVE-2026-40214 (missing ownership) affects versions 3.0.0 and later. The affected-products range covers both. -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
