Unauth Session Store Exhaustion in OpenStack Horizon 25.625.7 (pre25.7.3): CVE-2026-43002 May 2026

An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix.

Vulnerability Analysis

CVE-2026-43002 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

LOW

Weakness Type

Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

Products Associated with CVE-2026-43002

Want to know whenever a new CVE is published for OpenStack Horizon? stack.watch will email you.

Unauth Session Store Exhaustion in OpenStack Horizon 25.625.7 (pre25.7.3)
CVE-2026-43002 Published on May 5, 2026

Vulnerability Analysis

Weakness Type

Incorrect Behavior Order

Products Associated with CVE-2026-43002

Affected Versions

Unauth Session Store Exhaustion in OpenStack Horizon 25.625.7 (pre25.7.3)CVE-2026-43002 Published on May 5, 2026

Vulnerability Analysis

Weakness Type

Incorrect Behavior Order

Products Associated with CVE-2026-43002

Affected Versions

Unauth Session Store Exhaustion in OpenStack Horizon 25.625.7 (pre25.7.3)
CVE-2026-43002 Published on May 5, 2026