Authorization Flaw in OpenStack Cyborg by OpenStack
CVE-2026-40213

7.4HIGH

Key Information:

Vendor: Openstack
Status: Cyborg
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-40213?

OpenStack Cyborg, prior to version 16.0.1, is prone to an authorization vulnerability due to its default policy configuration allowing unrestricted access to multiple API endpoints. This security oversight permits any authenticated user with a valid Keystone token to execute actions without appropriate role permissions, including the capacity to reprogram FPGA bitstreams on any compute node. The flaw arises from a default allowance for requests that compromises the integrity and security of the service.

Affected Version(s)

Cyborg 5.0.0 < 14.0.1

Cyborg 15.0.0 < 15.0.1

Cyborg 16.0.0 < 16.0.1

References

https://bugs.launchpad.net/openstack-cyborg/+bug/2143263

https://www.openwall.com/lists/oss-security/2026/05/07/6

https://security.openstack.org/ossa/OSSA-2026-011.html

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40213 Data

JSON

Openstack

What is CVE-2026-40213?

Affected Version(s)

References

CVSS V3.1

Timeline