[oss-security] Re: [OSSA-2026-021] OpenStack Neutron: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks (CVE-2026-pending)

Thu, 04 Jun 2026 15:53:32 -0700 

Errata 1 for OSSA-2026-021: CVE-2026-50266 has been assigned.

======================================================================================================================
OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks 
======================================================================================================================

:Date: June 04, 2026
:CVE: CVE-2026-50266


Affects
~~~~~~~
- Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0


Description
~~~~~~~~~~~
Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron's default port RBAC rules. A project manager can create or update a port on a shared network owned by another project and set ``device_owner`` to a trusted network-service value such as ``network:dhcp``. Depending on backend and deployment, this can bypass anti-spoofing and security group protections. This is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager role support change. Deployments running Neutron 25.0.0 or later are affected. 



Errata
~~~~~~
CVE-2026-50266 has been assigned for this vulnerability.



Patches
~~~~~~~
- https://review.opendev.org/991523 (2025.1/epoxy)
- https://review.opendev.org/990356 (2025.2/flamingo)
- https://review.opendev.org/990353 (2026.1/gazpacho)
- https://review.opendev.org/990273 (2026.2/hibiscus)


Credits
~~~~~~~
- Tim Shephard from roiai.ca (CVE-2026-50266)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2152115
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50266


Notes
~~~~~
- This is a regression of CVE-2015-5240 (OSSA-2015-018).


OSSA History
~~~~~~~~~~~~
- 2026-06-04 - Errata 1
- 2026-06-04 - Original Version

--
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html


On 6/4/26 8:00 AM, Goutham Pacha Ravi wrote:

======================================================================================================================
OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks 
======================================================================================================================

:Date: June 04, 2026
:CVE: CVE-2026-pending


Affects
~~~~~~~
- Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0


Description
~~~~~~~~~~~
Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron's default port RBAC rules. A project manager can create or update a port on a shared network owned by another project and set ``device_owner`` to a trusted network-service value such as ``network:dhcp``. Depending on backend and deployment, this can bypass anti-spoofing and security group protections. This is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager role support change. Deployments running Neutron 25.0.0 or later are affected. 



Patches
~~~~~~~
- https://review.opendev.org/991523 (2025.1/epoxy)
- https://review.opendev.org/990356 (2025.2/flamingo)
- https://review.opendev.org/990353 (2026.1/gazpacho)
- https://review.opendev.org/990273 (2026.2/hibiscus)


Credits
~~~~~~~
- Tim Shephard from roiai.ca (CVE-2026-pending)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2152115
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending


Notes
~~~~~
- A CVE request has been filed with MITRE (CAN-2026-2030702).
- This is a regression of CVE-2015-5240 (OSSA-2015-018).

--
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Attachment: OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to