Denial of Service Vulnerability in OpenStack Swift by OpenStack
CVE-2026-49017

7.1HIGH

Key Information:

Vendor

Openstack
Status
Swift
Vendor
CVE Published:
27 May 2026

What is CVE-2026-49017?

In certain versions of OpenStack Swift, a vulnerability exists in the s3api middleware that can lead to a denial of service. When processing a truncated aws-chunked PUT request body, the middleware enters an infinite loop. This results in the StreamingInput class repeatedly appending an empty buffer. Consequently, the proxy-server worker becomes unresponsive as CPU and memory consumption escalate. An authenticated attacker could exploit this flaw to exhaust all proxy-server workers systematically, leading to service disruption. This defect originated in version 2.36.0 of OpenStack Swift and was addressed in later releases.

Affected Version(s)

Swift 2.36.0 < 2.36.2

Swift 2.37.0 < 2.37.2

References

https://bugs.launchpad.net/bugs/2152205
issue-tracking
https://review.opendev.org/c/openstack/swift/+/987957
patch
https://review.opendev.org/c/openstack/swift/+/988093
technical-description

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.