OpenStack Cyborg <16.0.1: ARQ API Cross-Tenant DoS Vulnerability
CVE-2026-40214 Published on May 7, 2026
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
Vulnerability Analysis
CVE-2026-40214 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
Improper Ownership Management
The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
Affected Versions
OpenStack Cyborg:- Version 3.0.0 and below 14.0.1 is affected.
- Version 15.0.0 and below 15.0.1 is affected.
- Version 16.0.0 and below 16.0.1 is affected.