Description
In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
Published: 2026-06-04
Score: 2.2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In OpenStack Neutron versions prior to 28.0.1 a project manager can create or modify a port on a shared network owned by another project and set the device_owner field to a value beginning with "network:" (for instance "network:dhcp"). The default port RBAC policies mistakenly included the PROJECT_MANAGER role without checking network ownership, granting the manager the same trusted network-service port privileges on a shared network. This flaw allows the attacker to bypass anti‑spoofing rules and security‑group restrictions, potentially enabling DHCP, MAC, or IP spoofing against tenants using the shared network.

Affected Systems

OpenStack Neutron, versions earlier than 28.0.1.

Risk and Exploitability

The CVSS score of 2.2 reflects a low base severity, yet the flaw can be leveraged by anyone with project‑manager rights within the OpenStack deployment. Since the attack requires only internal RBAC rights and does not involve remote code execution, the likelihood of exploitation is limited to organizations that expose project‑manager privileges broadly. The vulnerability is not listed in the CISA KEV catalog, and no EPSS information is available. The ability to spoof DHCP or MAC addresses on a shared network could potentially cause denial of service, traffic interception, or privileged escalation within the shared tenant environment; these outcomes are inferred from the described impact and not directly stated in the official description.

Generated by OpenCVE AI on June 4, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Neutron to version 28.0.1 or later where the RBAC policy requires network ownership for device_owner values beginning with "network:".
  • Review shared network configurations and remove any ports that were created with a device_owner value of 'network:*' by project managers.
  • Restrict the PROJECT_MANAGER role to only include authorized users and consider tightening RBAC to enforce network ownership checks before creating or updating ports.

Generated by OpenCVE AI on June 4, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Network-Scoped Port Creation Enables Spoofing in OpenStack Neutron

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
First Time appeared Openstack
Openstack neutron
Weaknesses CWE-863
CPEs cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack neutron
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Openstack Neutron
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T17:28:01.143Z

Reserved: 2026-06-04T16:18:38.592Z

Link: CVE-2026-50266

cve-icon Vulnrichment

Updated: 2026-06-04T17:27:46.791Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T17:16:33.517

Modified: 2026-06-04T19:15:17.327

Link: CVE-2026-50266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:00:13Z

Weaknesses