GHSA-mmpc-xjxr-5hf8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mmpc-xjxr-5hf8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mmpc-xjxr-5hf8/GHSA-mmpc-xjxr-5hf8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mmpc-xjxr-5hf8
- Aliases
-
- CVE-2026-40214
- Published
- 2026-05-08T00:31:34Z
- Modified
- 2026-05-13T01:50:41.722105Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer
- Details
-
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The projectid column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorizewsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-13T01:37:26Z", "cwe_ids": [ "CWE-282" ], "severity": "MODERATE", "nvd_published_at": "2026-05-07T22:16:35Z" }- References
Affected packages
PyPI / openstack-cyborg
Package
- Name
- openstack-cyborg
- View open source insights on deps.dev
- Purl
- pkg:pypi/openstack-cyborg
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed16.0.1
Affected versions
0.*
0.1.0
0.2.0
1.*
1.0.0.0b3
1.0.0.0rc1
1.0.0
2.*
2.0.0.0rc1
2.0.0
3.*
3.0.0.0rc1
3.0.0
3.0.1
4.*
4.0.0.0rc1
4.0.0
4.0.1
5.*
5.0.0.0rc1
5.0.0.0rc2
5.0.0
5.0.1
6.*
6.0.0.0rc1
6.0.0.0rc2
6.0.0
6.0.1
7.*
7.0.0.0rc1
7.0.0
7.0.1
8.*
8.0.0.0rc1
8.0.0
8.0.1
9.*
9.0.0.0rc1
9.0.0
10.*
10.0.0.0rc1
10.0.0
10.1.0
11.*
11.0.0.0rc1
11.0.0
12.*
12.0.0.0rc1
12.0.0
13.*
13.0.0.0rc1
13.0.0
14.*
14.0.0.0rc1
14.0.0
14.1.0
15.*
15.0.0.0rc1
15.0.0
15.0.1
16.*
16.0.0.0rc1
16.0.0.0rc2
16.0.0