OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate tags¶

Date:: May 28, 2026
CVE:: CVE-2026-pending

Affects¶

Neutron: >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, >=28.0.0 <28.0.1

Description¶

Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s tagging controller. The controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

Patches¶

https://review.opendev.org/989376 (2025.1/epoxy)
https://review.opendev.org/989375 (2025.2/flamingo)
https://review.opendev.org/989374 (2026.1/gazpacho)
https://review.opendev.org/989099 (2026.2/hibiscus)

Credits¶

Tim Shephard from roiai.ca (CVE-2026-pending)

References¶

https://launchpad.net/bugs/2150132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending

Notes¶

CVE assignment is pending (MITRE CAN-2026-2030611).

OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate tags