Vulnerability Description
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://bugs.launchpad.net/openstack-cyborg/+bug/2144056
- https://security.openstack.org/ossa/OSSA-2026-011.html
- https://www.openwall.com/lists/oss-security/2026/05/07/6
FAQ
What is CVE-2026-40214?
CVE-2026-40214 is a vulnerability with a CVSS score of 6.3 (MEDIUM). In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), dat...
How severe is CVE-2026-40214?
CVE-2026-40214 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40214?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.