Source: swift
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>

As per upstream announce:
https://security.openstack.org/ossa/OSSA-2026-024.html

OSSA-2026-024: Swift proxy-server SSRF via header injection

Date: June 23, 2026
CVE: CVE-2026-50221

Affects:
    Swift: >=2.0.0 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2

Description:
Tim Shephard from roiai.ca reported a server-side request forgery (SSRF)
vulnerability in Swift’s proxy-server. An authenticated user can cause Swift
object servers to issue outbound HTTP requests to attacker-specified hosts,
potentially exposing internal infrastructure details. All deployments running
Swift 2.0.0 or later are affected.

Patches
    https://review.opendev.org/994452 (2025.1/epoxy)
    https://review.opendev.org/994451 (2025.2/flamingo)
    https://review.opendev.org/994450 (2026.1/gazpacho)
    https://review.opendev.org/994449 (2026.2/hibiscus (development))

Credits
    Tim Shephard from roiai.ca (CVE-2026-50221)

References
    https://launchpad.net/bugs/2150261
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50221

Reply via email to