[oss-security] [OSSA-2026-021] OpenStack Neutron: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks (CVE-2026-pending)

[Goutham Pacha Ravi]

======================================================================================================================

======================================================================================================================

:Date: June 04, 2026
:CVE: CVE-2026-pending


Affects
~~~~~~~
- Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0


Description
~~~~~~~~~~~




Patches
~~~~~~~
- https://review.opendev.org/991523 (2025.1/epoxy)
- https://review.opendev.org/990356 (2025.2/flamingo)
- https://review.opendev.org/990353 (2026.1/gazpacho)
- https://review.opendev.org/990273 (2026.2/hibiscus)


Credits
~~~~~~~
- Tim Shephard from roiai.ca (CVE-2026-pending)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2152115
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending


Notes
~~~~~
- A CVE request has been filed with MITRE (CAN-2026-2030702).
- This is a regression of CVE-2015-5240 (OSSA-2015-018).

--
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron's default port RBAC rules. A project manager can create or update a port on a shared network owned by another project and set ``device_owner`` to a trusted network-service value such as ``network:dhcp``. Depending on backend and deployment, this can bypass anti-spoofing and security group protections. This is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager role support change. Deployments running Neutron 25.0.0 or later are affected.

OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

OpenPGP_signature.asc
Description: OpenPGP digital signature