CVE-2026-40213

OpenStack Cyborg before 16.0.1 is affected by CVE-2026-40213. The issue arises from a default policy rule (rule:allow with check_str='@') applied to multiple API endpoints, which unconditionally authorizes any request bearing a valid Keystone token regardless of user roles, project membership, or...

CVE-2026-40213

OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...

OpenStack Cyborg 安全漏洞

OpenStack Cyborg is an open-source acceleration resource management and scheduling service component of OpenStack. Versions of OpenStack Cyborg prior to 16.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the fact that the accelerator request API did not enforce project...

PT-2026-38597

Name of the Vulnerable Software and Affected Versions OpenStack Cyborg versions prior to 16.0.1 Description The Accelerator Request ARQ API fails to enforce project ownership. The project id database column remains unpopulated, database queries lack project filtering, and policy checks are...

CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

OpenStack Cyborg 安全漏洞

OpenStack Cyborg is an open-source acceleration resource management and scheduling service component for OpenStack. Versions of OpenStack Cyborg prior to 16.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the use of rule:allow as the default policy for multiple API...

CVE-2026-40214

OpenStack Cyborg prior to 16.0.1 suffers a access-control flaw in the Accelerator Request (ARQ) API. The project_id field is never populated (NULL for ARQs), database queries lack project filtering, and the authorize_wsgi policy check compares the caller’s project_id to itself rather than the tar...

CVE-2026-40213

OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...

PT-2026-38596

Name of the Vulnerable Software and Affected Versions OpenStack Cyborg versions prior to 16.0.1 Description Multiple API endpoints use rule:allow check str='@' as the default policy, which unconditionally authorizes any request containing a valid Keystone token. This occurs regardless of the user...

CVE-2026-40213

OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...

CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...