CVE-2026-40213 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-40213

CVE-2026-40213

Published:May 07, 2026

Updated:May 16, 2026

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

Affected Packages

openstack-cyborg (PYTHON):

Affected version(s) =16.0.0 <16.0.1

Fix Suggestion:

Update to version 16.0.1

openstack-cyborg (PYTHON):

Affected version(s) >=0.1.0 <16.0.1

Fix Suggestion:

Update to version 16.0.1

Related Resources (5)

https://security.openstack.org/ossa/OSSA-2026-011.html

https://bugs.launchpad.net/openstack-cyborg/+bug/2143263

https://www.openwall.com/lists/oss-security/2026/05/07/6

https://nvd.nist.gov/vuln/detail/CVE-2026-40213

https://github.com/openstack/cyborg

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

LOW

CVSS v3

Base Score:

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Weakness Type (CWE)

Incorrect Authorization

CWE-863

EPSS

Base Score:

0.04