DEBIAN-CVE-2026-40214

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-40214

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40214.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-40214

Upstream

CVE-2026-40214

Published

2026-05-07T22:16:35.047Z

Modified

2026-05-20T16:02:22.030244350Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The projectid column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorizewsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

References

https://security-tracker.debian.org/tracker/CVE-2026-40214

Affected packages

Debian:13 / cyborg

Package

Name: cyborg
Purl: pkg:deb/debian/cyborg?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

14.*

14.0.0-3

15.*

15.0.0~rc1-1

15.0.0~rc1-2

15.0.0~rc1-3

15.0.0-1

16.*

16.0.0~rc1-1

16.0.0~rc1-2

16.0.0~rc2-1

16.0.0-1

16.0.0-2

16.0.0+git+2026.04.26.b8edfa06f1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40214.json"

Debian:14 / cyborg