HIGHCVE-2026-40213Published 2026-05-07Modified 2026-05-08CNA mitre

CVE-2026-40213: OpenStack Cyborg before 16

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: 14.0.1
Affected Products: 1

Fix available

14.0.115.0.116.0.1

Affected packages

OpenStack / Cyborg
< 14.0.1 (from 5.0.0) · < 15.0.1 (from 15.0.0) · < 16.0.1 (from 16.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References

bugs.launchpad.net
openwall.com
security.openstack.org

Metrics

Fix available