CVE-2026-40214

🗓️ 07 May 2026 00:00:00Reported by mitreType

Cyborg ARQ API before 16.0.1 has NULL project_id and self-referential policy, enabling cross-tenant actions.

Reporter	Title	Published	Views	Family All 17
ATTACKERKB	CVE-2026-40214	7 May 202600:00	–	attackerkb
Circl	CVE-2026-40214	7 May 202619:16	–	circl
CNNVD	OpenStack Cyborg 安全漏洞	7 May 202600:00	–	cnnvd
Cvelist	CVE-2026-40214	7 May 202600:00	–	cvelist
Debian	[SECURITY] [DSA 6315-1] cyborg security update	31 May 202618:39	–	debian
Debian CVE	CVE-2026-40214	7 May 202600:00	–	debiancve
Tenable Nessus	Debian dsa-6315 : cyborg-agent - security update	1 Jun 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-40214	8 May 202600:00	–	nessus
EUVD	EUVD-2026-28456	8 May 202600:31	–	euvd
Github Security Blog	OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer	8 May 202600:31	–	github

Vulners

Node

openstack cyborgRange3.0.0–14.0.1

openstack cyborgRange15.0.0–15.0.1

openstack cyborgRange16.0.0–16.0.1

[
  {
    "defaultStatus": "unaffected",
    "product": "Cyborg",
    "vendor": "OpenStack",
    "versions": [
      {
        "lessThan": "14.0.1",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "15.0.1",
        "status": "affected",
        "version": "15.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "16.0.1",
        "status": "affected",
        "version": "16.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
bugs	www.bugs.launchpad.net/openstack-cyborg/+bug/2144056
security	www.security.openstack.org/ossa/OSSA-2026-011.html
openwall	www.openwall.com/lists/oss-security/2026/05/07/6

08 May 2026 16:16Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.3

EPSS0.00037

SSVC

CWE-282