CVE-2026-40213

HIGH CVSS 7.4 View on NVD ↗

Description

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References

https://bugs.launchpad.net/openstack-cyborg/+bug/2143263
https://security.openstack.org/ossa/OSSA-2026-011.html
https://www.openwall.com/lists/oss-security/2026/05/07/6

Published: May 07, 2026 22:16 UTC Modified: May 08, 2026 16:16 UTC