CVE-2026-49299
Deferred Deferred - Pending Action

Neutron Tagging Policy Bypass via Policy Name Mismatch

Vulnerability report for CVE-2026-49299, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-28

Last updated on: 2026-06-02

Assigner: MITRE

Description

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-28
Last Modified
2026-06-02
Generated
2026-07-09
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openstack neutron From 26.0.0 (inc) to 28.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenStack Neutron versions before 28.0.1. The issue is that the tagging controller enforces plural policy action names for single-tag write operations, while the defined policy rules use singular names. Because of this mismatch, the policy evaluation defaults to allowing the action. As a result, a project reader, who normally should have limited permissions, can create and update tags on resources within the same project.

Impact Analysis

The vulnerability allows a user with project reader permissions to create and update tags on resources within the same project. This means that users with limited access can modify metadata tags, potentially leading to unauthorized changes in resource classification or management, which could affect resource tracking, billing, or access control policies.

Compliance Impact

The provided information does not specify how CVE-2026-49299 affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate CVE-2026-49299, you should apply the patches that have been proposed and merged to fix the policy enforcement mismatch in OpenStack Neutron's tagging controller.

Ensure your Neutron deployment is updated to version 28.0.1 or later, as versions before 28.0.1 are affected.

Review and update your policy files to ensure consistency between policy rule names and the actions enforced by the tagging controller.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart