UBUNTU-CVE-2026-40214

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-40214
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40214.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-40214
Upstream
  • CVE-2026-40214
Downstream
Related
Published
2026-05-07T22:16:00Z
Modified
2026-06-09T21:19:11.278166667Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The projectid column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorizewsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

References

Affected packages

Ubuntu:25.10 / cyborg

Package

Name
cyborg
Purl
pkg:deb/ubuntu/cyborg?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
14.0.0-3+deb13u1build0.25.10.1

Affected versions

13.*
13.0.0-2
14.*
14.0.0-2
14.0.0-3

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "cyborg-agent",
            "binary_version": "14.0.0-3+deb13u1build0.25.10.1"
        },
        {
            "binary_name": "cyborg-api",
            "binary_version": "14.0.0-3+deb13u1build0.25.10.1"
        },
        {
            "binary_name": "cyborg-common",
            "binary_version": "14.0.0-3+deb13u1build0.25.10.1"
        },
        {
            "binary_name": "cyborg-conductor",
            "binary_version": "14.0.0-3+deb13u1build0.25.10.1"
        },
        {
            "binary_name": "python3-cyborg",
            "binary_version": "14.0.0-3+deb13u1build0.25.10.1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40214.json"

Ubuntu:26.04:LTS / cyborg

Package

Name
cyborg
Purl
pkg:deb/ubuntu/cyborg?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.0.0-2ubuntu0.1

Affected versions

14.*
14.0.0-3
15.*
15.0.0-1
16.*
16.0.0~rc1-2
16.0.0-2

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "cyborg-agent",
            "binary_version": "16.0.0-2ubuntu0.1"
        },
        {
            "binary_name": "cyborg-api",
            "binary_version": "16.0.0-2ubuntu0.1"
        },
        {
            "binary_name": "cyborg-common",
            "binary_version": "16.0.0-2ubuntu0.1"
        },
        {
            "binary_name": "cyborg-conductor",
            "binary_version": "16.0.0-2ubuntu0.1"
        },
        {
            "binary_name": "python3-cyborg",
            "binary_version": "16.0.0-2ubuntu0.1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40214.json"