==================================================================================OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate tags
==================================================================================
:Date: May 28, 2026 :CVE: CVE-2026-pending Affects ~~~~~~~ - Neutron: >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, >=28.0.0 <28.0.1 Description ~~~~~~~~~~~Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron's tagging controller. The controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
Patches ~~~~~~~ - https://review.opendev.org/989376 (2025.1/epoxy) - https://review.opendev.org/989375 (2025.2/flamingo) - https://review.opendev.org/989374 (2026.1/gazpacho) - https://review.opendev.org/989099 (2026.2/hibiscus) Credits ~~~~~~~ - Tim Shephard from roiai.ca (CVE-2026-pending) References ~~~~~~~~~~ - https://launchpad.net/bugs/2150132 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending Notes ~~~~~ - CVE assignment is pending (MITRE CAN-2026-2030611). -- Goutham Pacha Ravi (gouthamr) OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
