← back
CVE-2026-40213

CVE-2026-40213

CVSS 7.4 HIGHEPSS 0.2%CWE-863
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Affected products
OpenStack · Cyborg

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugs.launchpad.net/openstack-cyborg/+bug/2143263https://security.openstack.org/ossa/OSSA-2026-011.htmlhttps://www.openwall.com/lists/oss-security/2026/05/07/6