The vulnerability stems from a mismatch between the plural policy action names enforced by the tagging controller and the singular names defined in the policy rules. This misconfiguration causes the evaluation of write operations on tags to default to allowed, enabling a project reader to create and update tags on resources within their own project. Such unauthorized tag manipulation can expose sensitive metadata, mislead resource identification, and potentially aid in bypassing resource filtering or discovery mechanisms. The flaw is a policy configuration weakness (CWE-863) that permits actions beyond those intended for the reader role.

OpenStack Neutron deployments running the 26.0.0 release or later—but before version 28.0.1—are affected. This includes all Neutron instances with a configuration that has not been upgraded to 28.0.1 or later.

The CVSS score of 5.3 indicates a medium severity impact. The EPSS score is not supplied, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of immediate exploitation. The attack path is straightforward: any user with a project reader role can send a single‑tag write request to the Neutron tagging API, which will be interpreted as allowed due to the policy name mismatch. Consequently, an attacker can add or alter tags on project resources without elevated privileges, exposing metadata and potentially disrupting resource management workflows.