Source: cyborg X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for cyborg. CVE-2026-40213[0]: | OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as | the default policy for multiple API endpoints. This unconditionally | authorizes any request carrying a valid Keystone token regardless of | roles, project membership, or scope. An authenticated user with zero | role assignments can complete various actions such as reprogramming | FPGA bitstreams on arbitrary compute nodes via agent RPC. CVE-2026-40214[1]: | In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API | does not enforce project ownership at any layer. The project_id | column in the database is never populated (NULL for every ARQ), | database queries have no project filtering, and policy checks are | self-referential (the authorize_wsgi decorator compares the caller's | project_id with itself rather than the target resource). Any | authenticated non-admin user can complete various actions such as | deleting ARQs bound to other projects' instances, aka cross-tenant | denial of service. https://www.openwall.com/lists/oss-security/2026/05/07/6 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-40213 https://www.cve.org/CVERecord?id=CVE-2026-40213 [1] https://security-tracker.debian.org/tracker/CVE-2026-40214 https://www.cve.org/CVERecord?id=CVE-2026-40214 Please adjust the affected versions in the BTS as needed.
