OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate tags¶

Date:: May 28, 2026
CVE:: CVE-2026-49299

Affects¶

Neutron: >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, >=28.0.0 <28.0.1

Description¶

Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s tagging controller. The controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

Errata¶

When the original advisory was published a CVE number was not assigned. CVE-2026-49299 was assigned on 2026-05-28.

Patches¶

https://review.opendev.org/989376 (2025.1/epoxy)
https://review.opendev.org/989375 (2025.2/flamingo)
https://review.opendev.org/989374 (2026.1/gazpacho)
https://review.opendev.org/989099 (2026.2/hibiscus)

Credits¶

Tim Shephard from roiai.ca (CVE-2026-49299)

References¶

OSSA History¶

2026-05-28 - Errata 1
2026-05-28 - Original Version

OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate tags