Unauth Session Store Exhaustion in OpenStack Horizon 25.625.7 (pre25.7.3)
CVE-2026-43002 Published on May 5, 2026
An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix.
Vulnerability Analysis
CVE-2026-43002 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Incorrect Behavior Order
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
Products Associated with CVE-2026-43002
Want to know whenever a new CVE is published for OpenStack Horizon? stack.watch will email you.
Affected Versions
OpenStack Horizon:- Version 25.6.0 and below 25.7.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.