CVE-2026-40214

MEDIUM

OpenStack Cyborg <14.0.1, 15.0.0-15.0.1, 16.0.0-16.0.1 DoS via Accelerator Request API

Title source: llm

Description

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

References (3)

Core 3

Core References

https://bugs.launchpad.net/openstack-cyborg/+bug/2144056

https://www.openwall.com/lists/oss-security/2026/05/07/6

https://security.openstack.org/ossa/OSSA-2026-011.html

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-282

Status published

Products (4)

OpenStack/Cyborg 15.0.0 - 15.0.1

OpenStack/Cyborg 16.0.0 - 16.0.1

OpenStack/Cyborg 3.0.0 - 14.0.1

pypi/openstack-cyborg 0 - 16.0.1PyPI

Published May 07, 2026

Tracked Since May 08, 2026