OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks

Date:

June 04, 2026

CVE:

CVE-2026-50266

Affects

• Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0

Description

Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s default port RBAC rules. A project manager can create or update a port on a shared network owned by another project and set device_owner to a trusted network-service value such as network:dhcp. Depending on backend and deployment, this can bypass anti-spoofing and security group protections. This is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager role support change. Deployments running Neutron 25.0.0 or later are affected.

Errata

CVE-2026-50266 has been assigned for this vulnerability.

Patches

• https://review.opendev.org/991523 (2025.1/epoxy)

• https://review.opendev.org/990356 (2025.2/flamingo)

• https://review.opendev.org/990353 (2026.1/gazpacho)

• https://review.opendev.org/990273 (2026.2/hibiscus)

Credits

• Tim Shephard from roiai.ca (CVE-2026-50266)

References

• https://launchpad.net/bugs/2152115

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50266

Notes

• This is a regression of CVE-2015-5240 (OSSA-2015-018).

OSSA History

• 2026-06-04 - Errata 1

• 2026-06-04 - Original Version