CVE-2026-40213

N/A

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

授权机制不正确

OpenStack Cyborg 安全漏洞

OpenStack Cyborg是OpenStack开源的一个加速器资源管理与调度服务组件。 OpenStack Cyborg 16.0.1之前版本存在安全漏洞，该漏洞源于多个API端点使用rule:allow作为默认策略，可能导致任何持有有效Keystone令牌的请求无条件授权。

N/A

N/A