Source: swift Severity: important Tags: patch security X-Debbugs-Cc: Debian Security Team <[email protected]>
As per upstream announce: https://security.openstack.org/ossa/OSSA-2026-024.html OSSA-2026-024: Swift proxy-server SSRF via header injection Date: June 23, 2026 CVE: CVE-2026-50221 Affects: Swift: >=2.0.0 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2 Description: Tim Shephard from roiai.ca reported a server-side request forgery (SSRF) vulnerability in Swift’s proxy-server. An authenticated user can cause Swift object servers to issue outbound HTTP requests to attacker-specified hosts, potentially exposing internal infrastructure details. All deployments running Swift 2.0.0 or later are affected. Patches https://review.opendev.org/994452 (2025.1/epoxy) https://review.opendev.org/994451 (2025.2/flamingo) https://review.opendev.org/994450 (2026.1/gazpacho) https://review.opendev.org/994449 (2026.2/hibiscus (development)) Credits Tim Shephard from roiai.ca (CVE-2026-50221) References https://launchpad.net/bugs/2150261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50221

