CVE-2026-40214
Improper Project Ownership Validation in OpenStack Cyborg
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | cyborg | to 16.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-282 | The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenStack Cyborg versions before 16.0.1 where the Accelerator Request (ARQ) API fails to enforce project ownership at any level.
Specifically, the project_id field in the database is never set and remains NULL for all ARQs, database queries do not filter by project, and policy checks incorrectly compare the caller's project_id with itself rather than the target resource.
As a result, any authenticated non-admin user can perform actions such as deleting ARQs that belong to other projects, leading to cross-tenant denial of service.
How can this vulnerability impact me? :
This vulnerability can allow any authenticated non-admin user to delete Accelerator Requests (ARQs) associated with other projects' instances.
This leads to a cross-tenant denial of service, potentially disrupting services or workloads running on those other projects.
The impact includes loss of availability and integrity of resources managed by the ARQ API.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenStack Cyborg allows any authenticated non-admin user to perform actions across different projects without proper authorization, leading to cross-tenant denial of service. This lack of project ownership enforcement and improper access control could potentially lead to unauthorized access or manipulation of data belonging to other tenants.
Such unauthorized access and lack of proper data segregation may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data to prevent unauthorized disclosure or modification.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenStack Cyborg to version 16.0.1 or later where the issue is fixed.
Since the vulnerability allows any authenticated non-admin user to perform unauthorized actions due to lack of project ownership enforcement, applying the patch or upgrade that enforces project ownership and proper policy checks is critical.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the OpenStack Cyborg Accelerator Request (ARQ) API not enforcing project ownership, leading to NULL project_id values in the database and allowing unauthorized cross-tenant actions.
To detect this vulnerability on your system, you can check the `extended_accelerator_requests` database table for NULL values in the `project_id` column, which indicates the issue.
Additionally, you can attempt to list or delete ARQs across projects using non-admin credentials to verify if unauthorized cross-tenant access is possible.
Suggested commands include:
- Query the database to find ARQs with NULL project_id: `SELECT * FROM extended_accelerator_requests WHERE project_id IS NULL;`
- Use OpenStack CLI or API calls with a non-admin user to list ARQs and check if ARQs from other projects are visible.
- Attempt to delete or modify ARQs bound to instances of other projects using non-admin credentials to test for unauthorized access.