OpenStack Security Advisory: OSSA-2026-024
CVE: CVE-2026-50221

Title: Swift proxy-server SSRF via header injection

Affects: Swift >=2.0.0 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2

Description:
Tim Shephard from roiai.ca reported a server-side request forgery
(SSRF) vulnerability in Swift's proxy-server. An authenticated
user can cause Swift object servers to issue outbound HTTP requests
to attacker-specified hosts, potentially exposing internal
infrastructure details. All deployments running Swift 2.0.0 or
later are affected.

Patches:
  2026.2/hibiscus (development): https://review.opendev.org/994449
  2026.1/gazpacho:               https://review.opendev.org/994450
  2025.2/flamingo:               https://review.opendev.org/994451
  2025.1/epoxy:                  https://review.opendev.org/994452

Credits:
  Tim Shephard from roiai.ca (CVE-2026-50221)

References:
  https://security.openstack.org/ossa/OSSA-2026-024.html
  https://launchpad.net/bugs/2150261
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50221

Regards,
Goutham Pacha Ravi
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Attachment: OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to