Project Ownership Flaw in OpenStack Cyborg Affects API Functionality
CVE-2026-40214

6.3MEDIUM

Key Information:

Vendor: Openstack
Status: Cyborg
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-40214?

A serious vulnerability in OpenStack Cyborg, prior to version 16.0.1, arises from a lack of enforced project ownership in the Accelerator Request (ARQ) API. The absence of population in the project_id column leads to NULL entries for all ARQs, creating a significant risk where database queries are executed without appropriate project filtering. As a result, an authenticated non-admin user can perform actions, including deleting ARQs associated with instances from other projects, enabling potential cross-tenant denial of service attacks. This flaw highlights the necessity for rigorous access control mechanisms within API frameworks.

Affected Version(s)

Cyborg 3.0.0 < 14.0.1

Cyborg 15.0.0 < 15.0.1

Cyborg 16.0.0 < 16.0.1

References

https://bugs.launchpad.net/openstack-cyborg/+bug/2144056

https://www.openwall.com/lists/oss-security/2026/05/07/6

https://security.openstack.org/ossa/OSSA-2026-011.html

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40214 Data

JSON

Openstack

What is CVE-2026-40214?

Affected Version(s)

References

CVSS V3.1

Timeline