Vulnerability Description
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://bugs.launchpad.net/openstack-cyborg/+bug/2143263
- https://security.openstack.org/ossa/OSSA-2026-011.html
- https://www.openwall.com/lists/oss-security/2026/05/07/6
FAQ
What is CVE-2026-40213?
CVE-2026-40213 is a vulnerability with a CVSS score of 7.4 (HIGH). OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless ...
How severe is CVE-2026-40213?
CVE-2026-40213 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40213?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.