Description
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
Published: 2026-05-07
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Accelerator Request (ARQ) API in OpenStack Cyborg does not enforce project ownership at any layer: the database column for project_id is never populated, queries have no project filtering, and the policy decorator compares the caller’s project_id with itself rather than the target resource. Consequently, any authenticated non‑admin user can perform actions such as deleting ARQs that belong to other projects’ instances, causing a denial of service across tenants.

Affected Systems

OpenStack Cyborg releases prior to version 16.0.1 are affected. All deployments of these releases, regardless of domain or size, are vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated use of the ARQ API, meaning an attacker must first obtain a non‑admin account. No public exploits have been documented, but the ability to delete ARQs from other tenants can disrupt services and degrade availability for many customers.

Generated by OpenCVE AI on May 8, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Cyborg to version 16.0.1 or later, which implements proper project filtering and policy checks for ARQ operations
  • If an upgrade is not immediately possible, apply any vendor‑provided patch that enforces project ID enforcement in the ARQ API
  • Review and tighten the policy rules for ARQ so that non‑admin users cannot delete resources that do not belong to their project

Generated by OpenCVE AI on May 8, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6315-1 cyborg security update
Github GHSA Github GHSA GHSA-mmpc-xjxr-5hf8 OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer
History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Openstack
Openstack cyborg
Vendors & Products Openstack
Openstack cyborg

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Cross‑Tenant Denial of Service via Unchecked Accelerator Request API

Thu, 07 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
Weaknesses CWE-282
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Openstack Cyborg
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T15:47:39.031Z

Reserved: 2026-04-10T00:00:00.000Z

Link: CVE-2026-40214

cve-icon Vulnrichment

Updated: 2026-05-08T13:56:35.354Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T22:16:35.047

Modified: 2026-05-08T16:16:10.900

Link: CVE-2026-40214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:26:31Z

Weaknesses