OpenStack Neutron <28.0.1 Plural Action Mismatch Enables Unauthorized Tagging
CVE-2026-49299 Published on May 28, 2026
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-49299 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-49299
Want to know whenever a new CVE is published for OpenStack Neutron? stack.watch will email you.
Affected Versions
OpenStack Neutron:- Version 26.0.0 and below 26.0.4 is affected.
- Version 27.0.0 and below 27.0.3 is affected.
- Version 28.0.0 and below 28.0.1 is affected.