CVE-2026-40214: CWE-282 Improper Ownership Management in OpenStack Cyborg
CVE-2026-40214 is a vulnerability in OpenStack Cyborg versions prior to 16.0.1 where the Accelerator Request (ARQ) API fails to enforce project ownership. The project_id field in the database is always NULL, and there is no project filtering in database queries. Policy checks incorrectly compare the caller's project_id with itself rather than the target resource. This allows any authenticated non-admin user to perform actions such as deleting ARQs associated with other projects, leading to cross-tenant denial of service.
AI Analysis
Technical Summary
OpenStack Cyborg before version 16.0.1 contains an improper ownership management vulnerability (CWE-282) in its Accelerator Request (ARQ) API. The database does not populate the project_id column, resulting in NULL values for all ARQs. Database queries lack project filtering, and the authorization mechanism is flawed because it compares the caller's project_id against itself instead of the resource's project_id. Consequently, authenticated non-admin users can manipulate ARQs belonging to other tenants, including deleting them, which constitutes a cross-tenant denial of service risk.
Potential Impact
The vulnerability allows any authenticated non-admin user to delete Accelerator Requests bound to instances of other projects. This cross-tenant access bypasses intended project ownership restrictions, potentially disrupting services for other tenants by denying access to their resources. The CVSS score of 6.3 reflects a medium severity with impacts on confidentiality, integrity, and availability at a limited scale.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided and the remediation level is unspecified, users should monitor OpenStack advisories for updates. Until a fix is available, restrict access to the Cyborg API to trusted users and consider additional access controls or compensating controls to limit cross-tenant operations.
CVE-2026-40214: CWE-282 Improper Ownership Management in OpenStack Cyborg
Description
CVE-2026-40214 is a vulnerability in OpenStack Cyborg versions prior to 16.0.1 where the Accelerator Request (ARQ) API fails to enforce project ownership. The project_id field in the database is always NULL, and there is no project filtering in database queries. Policy checks incorrectly compare the caller's project_id with itself rather than the target resource. This allows any authenticated non-admin user to perform actions such as deleting ARQs associated with other projects, leading to cross-tenant denial of service.
CVSS v3.1
Score 6.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenStack Cyborg before version 16.0.1 contains an improper ownership management vulnerability (CWE-282) in its Accelerator Request (ARQ) API. The database does not populate the project_id column, resulting in NULL values for all ARQs. Database queries lack project filtering, and the authorization mechanism is flawed because it compares the caller's project_id against itself instead of the resource's project_id. Consequently, authenticated non-admin users can manipulate ARQs belonging to other tenants, including deleting them, which constitutes a cross-tenant denial of service risk.
Potential Impact
The vulnerability allows any authenticated non-admin user to delete Accelerator Requests bound to instances of other projects. This cross-tenant access bypasses intended project ownership restrictions, potentially disrupting services for other tenants by denying access to their resources. The CVSS score of 6.3 reflects a medium severity with impacts on confidentiality, integrity, and availability at a limited scale.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided and the remediation level is unspecified, users should monitor OpenStack advisories for updates. Until a fix is available, restrict access to the Cyborg API to trusted users and consider additional access controls or compensating controls to limit cross-tenant operations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-10T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd0cdfcbff5d86103e42da
Added to database: 05/07/2026, 22:06:23 UTC
Last enriched: 05/15/2026, 10:56:59 UTC
Last updated: 07/05/2026, 08:51:22 UTC
Views: 99
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.