CVE-2026-40213
HIGH7.4EPSS 0.04%OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints
發布日:2026/5/8修改日:2026/5/31
描述
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
受影響套件(2)
- Debian/cyborgfrom 0
- PyPI/openstack-cyborgfrom 0, < 16.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40213
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-40213
- PATCHhttps://github.com/openstack/cyborg
- WEBhttps://bugs.launchpad.net/openstack-cyborg/+bug/2143263
- WEBhttps://security.openstack.org/ossa/OSSA-2026-011.html
- WEBhttps://www.openwall.com/lists/oss-security/2026/05/07/6