oss-sec mailing list archives
[OSSA-2026-011] OpenStack Cyborg: Multiple access control vulnerabilities in Cyborg accelerator management (CVE-2026-40213, CVE-2026-40214)
From: Goutham Pacha Ravi <gouthampravi () gmail com>
Date: Thu, 7 May 2026 11:01:10 -0700
=================================================================OSSA-2026-011: Multiple access control vulnerabilities in Cyborg accelerator management
=================================================================
:Date: May 07, 2026
:CVE: CVE-2026-40213,
CVE-2026-40214
Affects
~~~~~~~
- Cyborg: >=3.0.0 <14.0.1, >=15.0.0 <15.0.1, >=16.0.0 <16.0.1
Description
~~~~~~~~~~~
Sean Mooney from Red Hat reported multiple access control
vulnerabilities in OpenStack Cyborg. Default policy rules for device,
deployable, and attribute API endpoints use an unconditional allow check
that grants access to any authenticated user regardless of roles or
project scope (CVE-2026-40213). Separately, Accelerator Request (ARQ)
resources lack project ownership enforcement, allowing any authenticated
user to enumerate, delete, or manipulate ARQs belonging to other
projects (CVE-2026-40214). All Cyborg deployments are affected.
Patches ~~~~~~~ - https://review.opendev.org/c/openstack/cyborg/+/987698 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987699 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987700 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987701 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987702 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987703 (2025.1/epoxy) - https://review.opendev.org/c/openstack/cyborg/+/987692 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987693 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987694 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987695 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987696 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987697 (2025.2/flamingo) - https://review.opendev.org/c/openstack/cyborg/+/987687 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987688 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987689 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987690 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987691 (2026.1/gazpacho) - https://review.opendev.org/c/openstack/cyborg/+/987680 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987681 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987682 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987683 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987684 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987685 (2026.2/hibiscus) - https://review.opendev.org/c/openstack/cyborg/+/987686 (2026.2/hibiscus) Credits ~~~~~~~ - Sean Mooney from Red Hat (CVE-2026-40213, CVE-2026-40214) References ~~~~~~~~~~ - https://launchpad.net/bugs/2143263 - https://launchpad.net/bugs/2144056 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40213 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40214 Notes ~~~~~ - CVE-2026-40213 (policy bypass) affects versions 5.0.0 and later. CVE-2026-40214 (missing ownership) affects versions 3.0.0 and later. The affected-products range covers both. -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
Attachment:
OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA-2026-011] OpenStack Cyborg: Multiple access control vulnerabilities in Cyborg accelerator management (CVE-2026-40213, CVE-2026-40214) Goutham Pacha Ravi (May 07)