Server-Side Request Forgery Vulnerability in OpenStack Swift Affecting Multiple Versions
CVE-2026-50221

5.3MEDIUM

Key Information:

Vendor: Openstack
Status: Swift
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-50221?

In OpenStack Swift prior to version 2.37.2, a vulnerability exists whereby the proxy-server inadequately processes update headers from client requests. Authenticated users with write permissions can exploit this weakness by injecting internal update headers. This manipulation allows attackers to redirect update requests to servers under their control, resulting in server-side request forgery (SSRF). As a consequence, sensitive internal cluster metadata, including storage policy details and encryption keys, can be exposed. Additionally, attackers may generate 'ghost listings' in various containers through a shard-range redirect technique.

Affected Version(s)

Swift 2.0.0 < 2.35.3

Swift 2.36.0 < 2.36.2

Swift 2.37.0 < 2.37.2

References

https://launchpad.net/bugs/2150261

issue-tracking

https://www.openwall.com/lists/oss-security/2026/06/23/5

https://security.openstack.org/ossa/OSSA-2026-024.html

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 4, 2026

CVE-2026-50221 Data

JSON

Openstack

What is CVE-2026-50221?

Affected Version(s)

References

CVSS V4

Timeline