Skip to main content

OpenStack Cyborg CVE-2026-40214

| EUVDEUVD-2026-28456 MEDIUM
Improper Ownership Management (CWE-282)
2026-05-07 cve@mitre.org GHSA-mmpc-xjxr-5hf8
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
May 07, 2026 - 23:02 EUVD
Analysis Generated
May 07, 2026 - 22:30 vuln.today
CVE Published
May 07, 2026 - 22:16 nvd
MEDIUM 6.3

DescriptionCVE.org

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

AnalysisAI

OpenStack Cyborg before 16.0.1 fails to enforce project ownership in the Accelerator Request (ARQ) API, allowing any authenticated non-admin user to delete, modify, or access ARQs bound to other projects' instances across tenant boundaries. The vulnerability stems from a combination of unpopulated project_id columns, missing database-layer filtering, and self-referential authorization checks, enabling cross-tenant denial of service and potential information disclosure. EPSS risk is moderate (6.3 CVSS), and the vulnerability requires valid authentication but no special privileges or interaction, making it exploitable by any tenant user in multi-tenant OpenStack deployments.

Technical ContextAI

OpenStack Cyborg is an accelerator lifecycle management service within OpenStack that manages hardware accelerators (GPUs, FPGAs, etc.) via the Accelerator Request (ARQ) API. The vulnerability exploits three layered authorization failures: (1) the database schema includes a project_id column that is never populated during ARQ creation, leaving it NULL for all records; (2) database queries lack WHERE clauses filtering by project ownership, enabling cross-project visibility; (3) the authorize_wsgi policy decorator performs a self-referential check comparing the authenticated caller's project_id against itself rather than validating against the target ARQ's project. This cascades from the API layer through the database layer without intermediate authorization enforcement. CWE-282 (Improper Ownership Validation) accurately describes the root cause: the system fails to verify that the user making a request owns or has permission to access the resource being modified.

RemediationAI

Upgrade OpenStack Cyborg to version 16.0.1 or later immediately. The vendor-released patch is available in Cyborg 16.0.1, which remedies the vulnerability by implementing proper project ownership validation across all ARQ API endpoints. The fix populates the project_id column during ARQ creation, enforces database-layer filtering in all queries, and corrects the authorization policy to validate the caller's project against the target resource's project rather than performing self-referential checks. For deployments unable to upgrade immediately, implement network-level compensating controls: restrict ARQ API access to trusted admin hosts only using firewall rules; disable ARQ functionality entirely if not actively used; or deploy a reverse proxy that validates project ownership before forwarding requests to Cyborg. Note that network-level controls do not fix the underlying authorization flaw and may impact operational agility. The Launchpad advisory (bugs.launchpad.net/openstack-cyborg/+bug/2144056) and OpenStackSecurity mailing list (openwall.com/lists/oss-security/2026/05/07/6) contain detailed patch information.

Share

CVE-2026-40214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy