CVE-2026-40213

Published: May 7, 2026Modified: May 8, 2026

7.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Exploitability: 3.1 / Impact: 3.7

Source: MITRE (Secondary)

Description

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://bugs.launchpad.net/openstack-cyborg/+bug/2143263

Source: cve@mitre.org

https://security.openstack.org/ossa/OSSA-2026-011.html

Source: cve@mitre.org

https://www.openwall.com/lists/oss-security/2026/05/07/6

Source: cve@mitre.org

Timeline

No history available yet.