OSSA-2026-009: Unauthenticated session flood via login redirect storage

Date:

April 27, 2026

CVE:

CVE-2026-43002

Affects

• Horizon: >=25.6.0 <25.7.3

Description

Erichen (Institute of Computing Technology, Chinese Academy of Sciences) reported a denial of service vulnerability in Horizon. The login view stores a post-login redirect URL in the server-side session before the user authenticates. Because each unauthenticated request without a session cookie triggers a new persistent session entry, an attacker can exhaust the session storage backend (Memcached, Redis, or database) by sending repeated requests to /auth/login/?next=URL. When the backend reaches capacity, legitimate sessions are evicted, logging out administrators and preventing them from accessing the dashboard. This is a regression of CVE-2014-8124. Deployments running Horizon from the 2026.1 (Gazpacho) release series with default session configuration are affected. Earlier release series do not contain the vulnerable code.

Patches

• https://review.opendev.org/c/openstack/horizon/+/986834 (2026.1/gazpacho)

Credits

• Erichen from Institute of Computing Technology, Chinese Academy of Sciences (CVE-2026-43002)

References

• https://launchpad.net/bugs/2150331

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43002

Notes

• This vulnerability was introduced in commit 3e2ff4e06 (Horizon 25.6.0) and only affects the 2026.1 (Gazpacho) release series. Earlier releases are not affected.

• This is a regression of CVE-2014-8124. The original middleware-level fix remains effective, but the new view-layer session write bypasses it.