Skip to main content

OpenStack Neutron CVE-2026-50266

| EUVDEUVD-2026-34301 LOW
Incorrect Authorization (CWE-863)
2026-06-04 mitre GHSA-qmc5-gv6v-8p22
2.2
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.2 LOW
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 17:05 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 29 pypi packages depend on neutron (29 direct, 1 indirect)

Ecosystem-wide dependent count for version 28.0.1.

DescriptionCVE.org

In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).

AnalysisAI

Incorrect RBAC policy in OpenStack Neutron before 28.0.1 allows an authenticated project manager to set device_owner on ports of shared networks they do not own to privileged network-service values (e.g., 'network:dhcp'), obtaining trusted network-service port behavior without owning the underlying network. Depending on backend and deployment configuration, this enables DHCP, MAC, or IP spoofing against co-tenants sharing that network, effectively bypassing anti-spoofing and security group protections. This is a confirmed regression of CVE-2015-5240 (OSSA-2015-018); no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

OpenStack Neutron is the network-as-a-service component of OpenStack, responsible for managing virtual networks, ports, and associated security policies for multi-tenant cloud deployments. Neutron enforces access control through RBAC policies that govern which roles can perform which port operations. The root cause, classified as CWE-863 (Incorrect Authorization), is that Neutron's default port RBAC policies for create and update operations incorrectly included the PROJECT_MANAGER role without a corresponding ownership check on the target network. Normally, setting device_owner to a value prefixed with 'network:' (such as 'network:dhcp' or 'network:router_interface') signals to the Neutron data plane that the port belongs to a trusted infrastructure service, which exempts it from anti-spoofing rules and security group enforcement. By exploiting the missing ownership guard, a project manager on any project with access to a shared network can impersonate a network-service port on that network. The affected CPE is cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*, covering all Neutron versions prior to 28.0.1.

RemediationAI

The primary fix is to upgrade OpenStack Neutron to version 28.0.1 or later, where the default port RBAC policies have been corrected to require network ownership when setting a device_owner value prefixed with 'network:'. Three upstream patch commits have been published: https://review.opendev.org/990273, https://review.opendev.org/990353, and https://review.opendev.org/990356. Operators unable to patch immediately should audit and manually restrict their port RBAC policies to remove PROJECT_MANAGER from the rules governing device_owner assignment on shared networks - note that this may break legitimate automation workflows that rely on project managers managing their own network-service ports, requiring policy review before applying. Additionally, operators should audit existing ports on shared networks for unexpected device_owner values beginning with 'network:' that were set by non-owner projects, as these may indicate prior exploitation or misconfiguration. The Launchpad bug (https://launchpad.net/bugs/2152115) and oss-security thread (https://www.openwall.com/lists/oss-security/2026/06/04/6) provide additional operator guidance.

CVE-2015-8914 CRITICAL POC
9.1 Jun 17

The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an int

CVE-2021-38598 CRITICAL POC
9.1 Aug 23

OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbrid

CVE-2015-3221 MEDIUM POC
4.0 Aug 26

OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, a

CVE-2021-40797 MEDIUM POC
6.5 Sep 08

An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before

CVE-2021-40085 MEDIUM POC
6.5 Aug 31

An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Rated medium sev

CVE-2019-9735 MEDIUM POC
6.5 Mar 13

An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x bef

CVE-2016-5362 HIGH
8.2 Jun 17

The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an int

CVE-2016-5363 HIGH
8.2 Jun 17

The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an int

CVE-2014-0187 CRITICAL
9.0 Apr 28

The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authe

CVE-2013-6433 HIGH
7.6 Jun 02

The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configurati

CVE-2014-3632 HIGH
7.6 Oct 07

The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red H

CVE-2021-20267 HIGH
7.1 May 28

A flaw was found in openstack-neutron's default Open vSwitch firewall rules. Rated high severity (CVSS 7.1), this vulner

Share

CVE-2026-50266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy