Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
AnalysisAI
Incorrect authorization in OpenStack Neutron 26.0.0 through pre-28.0.1 allows authenticated project readers to write (create and update) tags on same-project resources, exceeding their intended read-only scope. The root cause is a naming mismatch in the tagging controller: single-tag write operations are enforced using plural policy action names (e.g., 'add_tags'), while the configured policy rules use singular names (e.g., 'add_tag'). Because the plural names do not match any defined rule, OpenStack's default policy behavior evaluates the action as permitted. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Technical ContextAI
OpenStack Neutron is the network-as-a-service component of the OpenStack cloud platform. Authorization in Neutron is governed by oslo.policy, which maps API actions to named policy rules. The tagging controller - responsible for managing resource tags via the Neutron REST API - incorrectly uses pluralized action names when enforcing policy on individual tag write operations (e.g., PUT/DELETE on a single tag). The authoritative policy rules are defined under singular names. When oslo.policy cannot find a matching rule for an action name, the default behavior may resolve to permit, effectively bypassing the intended access control gate. CWE-863 (Incorrect Authorization) captures this class precisely: the system performs an access check, but the check evaluates the wrong policy target, yielding an incorrect allow decision. Affected CPE data is not explicitly provided, but the CVE description scopes impact to deployments running Neutron 26.0.0 or later.
RemediationAI
The primary remediation is to upgrade OpenStack Neutron to version 28.0.1 or later, which contains the authoritative fix aligning the tagging controller's policy action names with the defined singular rule names. The upstream patch is tracked in the OpenDev code review at https://review.opendev.org/c/openstack/neutron/+/989099. For deployments that cannot immediately upgrade, a compensating control is to override the default policy to explicitly define rules for the plural action names (e.g., 'add_tags', 'update_tags') with appropriate deny-or-restrict semantics for project reader roles - however, this requires understanding the full set of plural names used by the tagging controller and careful policy authoring to avoid gaps. Restricting project reader role assignments to trusted principals is an additional risk reduction measure while patching is pending. Operators should review the Launchpad bug at https://bugs.launchpad.net/bugs/2150132 and the oss-security announcement at https://www.openwall.com/lists/oss-security/2026/05/28/8 for full operator guidance.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33074
GHSA-xv24-hxh9-2hh9