In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set deviceowner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECTMANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "25.0.0"
},
{
"fixed": "25.2.4"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50266.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-863"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "26.0.0"
},
{
"fixed": "26.0.4"
},
{
"introduced": "27.0.0"
},
{
"fixed": "27.0.3"
},
{
"introduced": "28.0.0"
},
{
"fixed": "28.0.1"
}
]
}