Re: [OSSA-2026-021] OpenStack Neutron: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks (CVE-2026-pending)

[Goutham Pacha Ravi <gouthampravi () gmail com>]

Errata 1 for OSSA-2026-021: CVE-2026-50266 has been assigned.

======================================================================================================================
OSSA-2026-021: Neutron port RBAC policy bypass allows project managers 
to set trusted device owners on shared networks
======================================================================================================================

:Date: June 04, 2026
:CVE: CVE-2026-50266


Affects
~~~~~~~
- Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0


Description
~~~~~~~~~~~
Tim Shephard from roiai.ca reported a policy enforcement bypass in 
Neutron's default port RBAC rules. A project manager can create or 
update a port on a shared network owned by another project and set 
``device_owner`` to a trusted network-service value such as 
``network:dhcp``. Depending on backend and deployment, this can bypass 
anti-spoofing and security group protections. This is a regression of 
CVE-2015-5240 (OSSA-2015-018) introduced by the manager role support 
change. Deployments running Neutron 25.0.0 or later are affected.



Errata
~~~~~~
CVE-2026-50266 has been assigned for this vulnerability.



Patches
~~~~~~~
- https://review.opendev.org/991523 (2025.1/epoxy)
- https://review.opendev.org/990356 (2025.2/flamingo)
- https://review.opendev.org/990353 (2026.1/gazpacho)
- https://review.opendev.org/990273 (2026.2/hibiscus)


Credits
~~~~~~~
- Tim Shephard from roiai.ca (CVE-2026-50266)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2152115
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50266


Notes
~~~~~
- This is a regression of CVE-2015-5240 (OSSA-2015-018).


OSSA History
~~~~~~~~~~~~
- 2026-06-04 - Errata 1
- 2026-06-04 - Original Version

--
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html


On 6/4/26 8:00 AM, Goutham Pacha Ravi wrote:
> ======================================================================================================================
> OSSA-2026-021: Neutron port RBAC policy bypass allows project managers 
> to set trusted device owners on shared networks
> ======================================================================================================================
>
> :Date: June 04, 2026
> :CVE: CVE-2026-pending
>
>
> Affects
> ~~~~~~~
> - Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0
>
>
> Description
> ~~~~~~~~~~~
> Tim Shephard from roiai.ca reported a policy enforcement bypass in 
> Neutron's default port RBAC rules. A project manager can create or 
> update a port on a shared network owned by another project and set 
> ``device_owner`` to a trusted network-service value such as 
> ``network:dhcp``. Depending on backend and deployment, this can bypass 
> anti-spoofing and security group protections. This is a regression of 
> CVE-2015-5240 (OSSA-2015-018) introduced by the manager role support 
> change. Deployments running Neutron 25.0.0 or later are affected.
>
>
>
> Patches
> ~~~~~~~
> - https://review.opendev.org/991523 (2025.1/epoxy)
> - https://review.opendev.org/990356 (2025.2/flamingo)
> - https://review.opendev.org/990353 (2026.1/gazpacho)
> - https://review.opendev.org/990273 (2026.2/hibiscus)
>
>
> Credits
> ~~~~~~~
> - Tim Shephard from roiai.ca (CVE-2026-pending)
>
>
> References
> ~~~~~~~~~~
> - https://launchpad.net/bugs/2152115
> - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending
>
>
> Notes
> ~~~~~
> - A CVE request has been filed with MITRE (CAN-2026-2030702).
> - This is a regression of CVE-2015-5240 (OSSA-2015-018).
>
> --
> Goutham Pacha Ravi
> OpenStack Vulnerability Management Team
> https://security.openstack.org/vmt.html

Attachment: OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature