USN-8413-1
- Source
- https://ubuntu.com/security/notices/USN-8413-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8413-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-8413-1
- Upstream
- Related
- Published
- 2026-06-09T16:09:11Z
- Modified
- 2026-06-09T21:29:23.859315177Z
- Summary
- cyborg vulnerabilities
- Details
-
It was discovered that Cyborg did not properly enforce project ownership in the Accelerator Request (ARQ) API. An authenticated user could possibly use this issue to delete ARQs bound to other projects' instances, resulting in a cross-tenant denial of service. (CVE-2026-40214)
It was discovered that Cyborg used a permissive default policy that authorized any request carrying a valid authentication token, regardless of roles or scope, for multiple API endpoints. An authenticated user could possibly use this issue to perform unauthorized actions, such as reprogramming FPGA bitstreams on arbitrary compute nodes. (CVE-2026-40213)
- References
Affected packages
Ubuntu:25.10 / cyborg
Package
- Name
- cyborg
- Purl
- pkg:deb/ubuntu/cyborg?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed14.0.0-3+deb13u1build0.25.10.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "cyborg-agent",
"binary_version": "14.0.0-3+deb13u1build0.25.10.1"
},
{
"binary_name": "cyborg-api",
"binary_version": "14.0.0-3+deb13u1build0.25.10.1"
},
{
"binary_name": "cyborg-common",
"binary_version": "14.0.0-3+deb13u1build0.25.10.1"
},
{
"binary_name": "cyborg-conductor",
"binary_version": "14.0.0-3+deb13u1build0.25.10.1"
},
{
"binary_name": "python3-cyborg",
"binary_version": "14.0.0-3+deb13u1build0.25.10.1"
}
]
}
Database specific
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8413-1.json"
cves_map
{
"cves": [
{
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"id": "CVE-2026-40213"
},
{
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"id": "CVE-2026-40214"
}
],
"ecosystem": "Ubuntu:25.10"
}
Ubuntu:26.04:LTS / cyborg
Package
- Name
- cyborg
- Purl
- pkg:deb/ubuntu/cyborg?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed16.0.0-2ubuntu0.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "cyborg-agent",
"binary_version": "16.0.0-2ubuntu0.1"
},
{
"binary_name": "cyborg-api",
"binary_version": "16.0.0-2ubuntu0.1"
},
{
"binary_name": "cyborg-common",
"binary_version": "16.0.0-2ubuntu0.1"
},
{
"binary_name": "cyborg-conductor",
"binary_version": "16.0.0-2ubuntu0.1"
},
{
"binary_name": "python3-cyborg",
"binary_version": "16.0.0-2ubuntu0.1"
}
]
}
Database specific
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8413-1.json"
cves_map
{
"cves": [
{
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"id": "CVE-2026-40213"
},
{
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"id": "CVE-2026-40214"
}
],
"ecosystem": "Ubuntu:26.04:LTS"
}