Description
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
Published: 2026-05-07
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Accelerator Request (ARQ) API in OpenStack Cyborg does not enforce project ownership at any layer: the database column for project_id is never populated, queries have no project filtering, and the policy decorator compares the caller’s project_id with itself rather than the target resource. Consequently, any authenticated non‑admin user can perform actions such as deleting ARQs that belong to other projects’ instances, causing a denial of service across tenants.

Affected Systems

OpenStack Cyborg releases prior to version 16.0.1 are affected. All deployments of these releases, regardless of domain or size, are vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated use of the ARQ API, meaning an attacker must first obtain a non‑admin account. No public exploits have been documented, but the ability to delete ARQs from other tenants can disrupt services and degrade availability for many customers.

Generated by OpenCVE AI on May 8, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Cyborg to version 16.0.1 or later, which implements proper project filtering and policy checks for ARQ operations
  • If an upgrade is not immediately possible, apply any vendor‑provided patch that enforces project ID enforcement in the ARQ API
  • Review and tighten the policy rules for ARQ so that non‑admin users cannot delete resources that do not belong to their project

Generated by OpenCVE AI on May 8, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Cross‑Tenant Denial of Service via Unchecked Accelerator Request API

Thu, 07 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
Weaknesses CWE-282
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T21:54:10.614Z

Reserved: 2026-04-10T00:00:00.000Z

Link: CVE-2026-40214

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:35.047

Modified: 2026-05-07T22:16:35.047

Link: CVE-2026-40214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T00:30:25Z

Weaknesses