GHSA-mm7j-mhhj-hj36
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mm7j-mhhj-hj36
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mm7j-mhhj-hj36/GHSA-mm7j-mhhj-hj36.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mm7j-mhhj-hj36
- Aliases
-
- CVE-2026-40213
- Published
- 2026-05-08T00:31:33Z
- Modified
- 2026-05-13T01:47:23.054571Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints
- Details
-
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-13T01:37:14Z", "cwe_ids": [ "CWE-863" ], "severity": "HIGH", "nvd_published_at": "2026-05-07T22:16:34Z" }- References
Affected packages
PyPI / openstack-cyborg
Package
- Name
- openstack-cyborg
- View open source insights on deps.dev
- Purl
- pkg:pypi/openstack-cyborg
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed16.0.1
Affected versions
0.*
0.1.0
0.2.0
1.*
1.0.0.0b3
1.0.0.0rc1
1.0.0
2.*
2.0.0.0rc1
2.0.0
3.*
3.0.0.0rc1
3.0.0
3.0.1
4.*
4.0.0.0rc1
4.0.0
4.0.1
5.*
5.0.0.0rc1
5.0.0.0rc2
5.0.0
5.0.1
6.*
6.0.0.0rc1
6.0.0.0rc2
6.0.0
6.0.1
7.*
7.0.0.0rc1
7.0.0
7.0.1
8.*
8.0.0.0rc1
8.0.0
8.0.1
9.*
9.0.0.0rc1
9.0.0
10.*
10.0.0.0rc1
10.0.0
10.1.0
11.*
11.0.0.0rc1
11.0.0
12.*
12.0.0.0rc1
12.0.0
13.*
13.0.0.0rc1
13.0.0
14.*
14.0.0.0rc1
14.0.0
14.1.0
15.*
15.0.0.0rc1
15.0.0
15.0.1
16.*
16.0.0.0rc1
16.0.0.0rc2
16.0.0