OSSA-2026-011: Multiple access control vulnerabilities in Cyborg accelerator management

Date:

May 07, 2026

CVE:

CVE-2026-40213, CVE-2026-40214

Affects

• Cyborg: >=3.0.0 <14.0.1, >=15.0.0 <15.0.1, >=16.0.0 <16.0.1

Description

Sean Mooney from Red Hat reported multiple access control vulnerabilities in OpenStack Cyborg. Default policy rules for device, deployable, and attribute API endpoints use an unconditional allow check that grants access to any authenticated user regardless of roles or project scope (CVE-2026-40213). Separately, Accelerator Request (ARQ) resources lack project ownership enforcement, allowing any authenticated user to enumerate, delete, or manipulate ARQs belonging to other projects (CVE-2026-40214). All Cyborg deployments are affected.

Patches

• https://review.opendev.org/c/openstack/cyborg/+/987698 (2025.1/epoxy)

• https://review.opendev.org/c/openstack/cyborg/+/987699 (2025.1/epoxy)

• https://review.opendev.org/c/openstack/cyborg/+/987700 (2025.1/epoxy)

• https://review.opendev.org/c/openstack/cyborg/+/987701 (2025.1/epoxy)

• https://review.opendev.org/c/openstack/cyborg/+/987702 (2025.1/epoxy)

• https://review.opendev.org/c/openstack/cyborg/+/987703 (2025.1/epoxy)

• https://review.opendev.org/c/openstack/cyborg/+/987692 (2025.2/flamingo)

• https://review.opendev.org/c/openstack/cyborg/+/987693 (2025.2/flamingo)

• https://review.opendev.org/c/openstack/cyborg/+/987694 (2025.2/flamingo)

• https://review.opendev.org/c/openstack/cyborg/+/987695 (2025.2/flamingo)

• https://review.opendev.org/c/openstack/cyborg/+/987696 (2025.2/flamingo)

• https://review.opendev.org/c/openstack/cyborg/+/987697 (2025.2/flamingo)

• https://review.opendev.org/c/openstack/cyborg/+/987687 (2026.1/gazpacho)

• https://review.opendev.org/c/openstack/cyborg/+/987688 (2026.1/gazpacho)

• https://review.opendev.org/c/openstack/cyborg/+/987689 (2026.1/gazpacho)

• https://review.opendev.org/c/openstack/cyborg/+/987690 (2026.1/gazpacho)

• https://review.opendev.org/c/openstack/cyborg/+/987691 (2026.1/gazpacho)

• https://review.opendev.org/c/openstack/cyborg/+/987680 (2026.2/hibiscus)

• https://review.opendev.org/c/openstack/cyborg/+/987681 (2026.2/hibiscus)

• https://review.opendev.org/c/openstack/cyborg/+/987682 (2026.2/hibiscus)

• https://review.opendev.org/c/openstack/cyborg/+/987683 (2026.2/hibiscus)

• https://review.opendev.org/c/openstack/cyborg/+/987684 (2026.2/hibiscus)

• https://review.opendev.org/c/openstack/cyborg/+/987685 (2026.2/hibiscus)

• https://review.opendev.org/c/openstack/cyborg/+/987686 (2026.2/hibiscus)

Credits

• Sean Mooney from Red Hat (CVE-2026-40213, CVE-2026-40214)

References

• https://launchpad.net/bugs/2143263

• https://launchpad.net/bugs/2144056

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40213

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40214

Notes

• CVE-2026-40213 (policy bypass) affects versions 5.0.0 and later. CVE-2026-40214 (missing ownership) affects versions 3.0.0 and later. The affected-products range covers both.