CVE-2026-49299
Deferred Deferred - Pending Action
Neutron Tagging Policy Bypass via Policy Name Mismatch

Publication date: 2026-05-28

Last updated on: 2026-06-02

Assigner: MITRE

Description
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-02
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-49299
EUVD
EUVD-2026-33074
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openstack neutron From 26.0.0 (inc) to 28.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenStack Neutron versions before 28.0.1. The issue is that the tagging controller enforces plural policy action names for single-tag write operations, while the defined policy rules use singular names. Because of this mismatch, the policy evaluation defaults to allowing the action. As a result, a project reader, who normally should have limited permissions, can create and update tags on resources within the same project.

Impact Analysis

The vulnerability allows a user with project reader permissions to create and update tags on resources within the same project. This means that users with limited access can modify metadata tags, potentially leading to unauthorized changes in resource classification or management, which could affect resource tracking, billing, or access control policies.

Compliance Impact

The provided information does not specify how CVE-2026-49299 affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate CVE-2026-49299, you should apply the patches that have been proposed and merged to fix the policy enforcement mismatch in OpenStack Neutron's tagging controller.

Ensure your Neutron deployment is updated to version 28.0.1 or later, as versions before 28.0.1 are affected.

Review and update your policy files to ensure consistency between policy rule names and the actions enforced by the tagging controller.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart