Policy Mismatch Vulnerability in OpenStack Neutron by OpenStack
CVE-2026-49299

5.3MEDIUM

Key Information:

Vendor: Openstack
Status: Neutron
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-49299?

In OpenStack Neutron versions prior to 28.0.1, a vulnerability exists where the tagging controller's enforcement of plural policy action names during single-tag write operations contradicts the defined policy rules that use singular names. This misalignment results in inadequate access controls, allowing a project reader to create and update tags on resources within the same project. Environments utilizing Neutron versions 26.0.0 or later are susceptible to this issue, underscoring the need for immediate remediation through available patches.

Affected Version(s)

Neutron 26.0.0 < 26.0.4

Neutron 27.0.0 < 27.0.3

Neutron 28.0.0 < 28.0.1

References

https://bugs.launchpad.net/bugs/2150132

issue-tracking

https://review.opendev.org/c/openstack/neutron/+/989099

patch

https://www.openwall.com/lists/oss-security/2026/05/28/8

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 28, 2026

CVE-2026-49299 Data

JSON

Openstack

What is CVE-2026-49299?

Affected Version(s)

References

CVSS V4

Timeline