PYSEC-2026-1693

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/neutron/PYSEC-2026-1693.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1693
Aliases
Published
2026-07-07T14:34:45.662800Z
Modified
2026-07-07T17:47:07.174068631Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenStack Neutron can use an incorrect ID during policy enforcement
Details

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

References

Affected packages

PyPI / neutron

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
23.0.0
Fixed
23.2.1
Introduced
24.0.0
Fixed
24.0.2
Introduced
25.0.0
Fixed
25.0.1

Affected versions

23.*
23.0.0
23.1.0
23.2.0
24.*
24.0.0
24.0.1
25.*
25.0.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/neutron/PYSEC-2026-1693.yaml"