OpenStack Security Advisory: OSSA-2026-024 CVE: CVE-2026-50221
Title: Swift proxy-server SSRF via header injection Affects: Swift >=2.0.0 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2 Description: Tim Shephard from roiai.ca reported a server-side request forgery (SSRF) vulnerability in Swift's proxy-server. An authenticated user can cause Swift object servers to issue outbound HTTP requests to attacker-specified hosts, potentially exposing internal infrastructure details. All deployments running Swift 2.0.0 or later are affected. Patches: 2026.2/hibiscus (development): https://review.opendev.org/994449 2026.1/gazpacho: https://review.opendev.org/994450 2025.2/flamingo: https://review.opendev.org/994451 2025.1/epoxy: https://review.opendev.org/994452 Credits: Tim Shephard from roiai.ca (CVE-2026-50221) References: https://security.openstack.org/ossa/OSSA-2026-024.html https://launchpad.net/bugs/2150261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50221 Regards, Goutham Pacha Ravi OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
