Which versions of OpenStack Swift are affected by CVE-2026-49017?

OpenStack Swift's s3api middleware (versions 2.36.0-2.36.1, 2.37.0-2.37.1) contains a denial-of-service vulnerability that allows authenticated S3 API users to permanently disable proxy-server…. A patch is available.

How to fix or mitigate CVE-2026-49017?

Within 24 hours: inventory all Swift deployments running affected versions (2.36.0-2.36.1, 2.37.0-2.37.1). Within 7 days: apply vendor patches (upgrade to Swift 2.36.2 or 2.37.2). Within 30 days: complete rollout across all environments and validate proxy-server stability under operational load.

OpenStack Swift CVE-2026-49017

Q: What is the CVSS score of CVE-2026-49017?

CVE-2026-49017 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-32040 HIGH

Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)

2026-05-27 mitre

GHSA-g7jq-j257-rww2

Denial Of Service Swift

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 20:37 vuln.today

DescriptionNVD

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

AnalysisAI

Denial of service in OpenStack Swift's s3api middleware allows an authenticated S3 API user to permanently hang proxy-server workers by sending a truncated aws-chunked PUT request body. Versions 2.36.0 through 2.36.1 and 2.37.0 through 2.37.1 are affected; the defect was introduced in 2.36.0 and fixed in 2.36.2 and 2.37.2. …

RemediationAI

Within 24 hours: inventory all Swift deployments running affected versions (2.36.0-2.36.1, 2.37.0-2.37.1). Within 7 days: apply vendor patches (upgrade to Swift 2.36.2 or 2.37.2). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-49017 vulnerability details – vuln.today

Back

OpenStack Swift CVE-2026-49017

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenStack Swift CVE-2026-49017

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code