========================================================================= OSSA-2026-009: Unauthenticated session flood via login redirect storage =========================================================================
:Date: April 27, 2026 :CVE: CVE-2026-43002 Affects ~~~~~~~ - Horizon: >=25.6.0 <25.7.3 Description ~~~~~~~~~~~ Erichen (Institute of Computing Technology, Chinese Academy of Sciences) reported a denial of service vulnerability in Horizon. The login view stores a post-login redirect URL in the server-side session before the user authenticates. Because each unauthenticated request without a session cookie triggers a new persistent session entry, an attacker can exhaust the session storage backend (Memcached, Redis, or database) by sending repeated requests to ``/auth/login/?next=URL``. When the backend reaches capacity, legitimate sessions are evicted, logging out administrators and preventing them from accessing the dashboard. This is a regression of CVE-2014-8124. Deployments running Horizon from the 2026.1 (Gazpacho) release series with default session configuration are affected. Earlier release series do not contain the vulnerable code. Patches ~~~~~~~ - https://review.opendev.org/c/openstack/horizon/+/986834 (2026.1/gazpacho) Credits ~~~~~~~- Erichen from Institute of Computing Technology, Chinese Academy of Sciences (CVE-2026-43002)
References ~~~~~~~~~~ - https://launchpad.net/bugs/2150331 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43002 Notes ~~~~~ - This vulnerability was introduced in commit 3e2ff4e06 (Horizon 25.6.0) and only affects the 2026.1 (Gazpacho) release series. Earlier releases are not affected. - This is a regression of CVE-2014-8124. The original middleware-level fix remains effective, but the new view-layer session write bypasses it. -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
