OpenStack Cyborg Access Control Bypass Vulnerabilities (CVE-2026-40213/40214)

OSSA-2026-011: Multiple Access Control Vulnerabilities in Cyborg Accelerator Management Vulnerability Overview Sean Mooney from Red Hat reported multiple access control vulnerabilities in OpenStack Cyborg: 1. The default policy rules allow any authenticated user to access all role- or project-scoped API endpoints (CVE-2026-40213). 2. Accelerator Request (ARQ) resources lack project ownership enforcement, allowing users to enumerate, delete, or manipulate ARQs belonging to other projects (CVE-2026-40214). Affected Versions Affected Versions: - Cyborg >=3.0.0 =15.0.0 =16.0.0 <16.0.1 Version Differences: - CVE-2026-40213 (policy bypass) affects version 5.0.0 and later. - CVE-2026-40214 (missing ownership check) affects version 3.0.0 and later. Remediation Please apply the following patches based on the version you are using: 1.0 (Pony): - v987698 - v987699 - v987700 - v987701 - v987702 2.0 (Flamingo): - v987691 - v987703 - v987692 - v987693 - v987694 - v987695 - v987696 - v987697 1.0 (Patched): - v987687 - v987688 - v987689 1.0 (Patched): - v987690 - v987691 - v987692 - v987693 - v987694 - v987695 - v987696 - v987697 - v987698 - v987699 - v987700 - v987701 - v987702 - v987703 References Launchpad Bug 2145203 Launchpad Bug 2144656 NIST NVD CVE-2026-40213 NIST NVD CVE-2026-40214

Goal Reached Thanks to every supporter — we hit 100%!

OpenStack Cyborg Access Control Bypass Vulnerabilities (CVE-2026-40213/40214)