CVE-2026-40214: CWE-282 Improper Ownership Management in OpenStack Cyborg
CVE-2026-40214 is a vulnerability in OpenStack Cyborg before version 16. 0. 1 where the Accelerator Request (ARQ) API fails to enforce project ownership. The project_id field in the database is always NULL, and there is no project filtering in database queries. Policy checks incorrectly compare the caller's project_id with itself rather than the target resource. This allows any authenticated non-admin user to perform actions such as deleting ARQs associated with other projects, leading to cross-tenant denial of service.
AI Analysis
Technical Summary
OpenStack Cyborg versions prior to 16.0.1 contain an improper ownership management vulnerability (CWE-282) in the Accelerator Request (ARQ) API. The root cause is that the project_id column in the ARQ database table is never populated, resulting in NULL values for all ARQs. Consequently, database queries do not filter by project, and policy authorization checks are self-referential, comparing the caller's project_id against itself rather than the resource's project_id. This flaw permits any authenticated user without admin privileges to manipulate ARQs belonging to other tenants, including deleting ARQs bound to instances of other projects, effectively enabling cross-tenant denial of service attacks.
Potential Impact
The vulnerability allows authenticated non-admin users to bypass project ownership restrictions and perform unauthorized actions on ARQs belonging to other tenants. This can lead to denial of service conditions affecting other projects by deleting their ARQs. The confidentiality and integrity impacts are limited to the ability to manipulate ARQs across tenants. There are no known exploits in the wild as of the published date. The CVSS v3.1 base score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch information is provided in the vendor advisory or other sources. Users should monitor OpenStack Cyborg vendor advisories for updates addressing this vulnerability. Until a patch is available, restricting access to the Cyborg API to trusted users and limiting authentication to highly trusted accounts may reduce risk. No vendor advisory states that the issue is already mitigated or requires no action.
CVE-2026-40214: CWE-282 Improper Ownership Management in OpenStack Cyborg
Description
CVE-2026-40214 is a vulnerability in OpenStack Cyborg before version 16. 0. 1 where the Accelerator Request (ARQ) API fails to enforce project ownership. The project_id field in the database is always NULL, and there is no project filtering in database queries. Policy checks incorrectly compare the caller's project_id with itself rather than the target resource. This allows any authenticated non-admin user to perform actions such as deleting ARQs associated with other projects, leading to cross-tenant denial of service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenStack Cyborg versions prior to 16.0.1 contain an improper ownership management vulnerability (CWE-282) in the Accelerator Request (ARQ) API. The root cause is that the project_id column in the ARQ database table is never populated, resulting in NULL values for all ARQs. Consequently, database queries do not filter by project, and policy authorization checks are self-referential, comparing the caller's project_id against itself rather than the resource's project_id. This flaw permits any authenticated user without admin privileges to manipulate ARQs belonging to other tenants, including deleting ARQs bound to instances of other projects, effectively enabling cross-tenant denial of service attacks.
Potential Impact
The vulnerability allows authenticated non-admin users to bypass project ownership restrictions and perform unauthorized actions on ARQs belonging to other tenants. This can lead to denial of service conditions affecting other projects by deleting their ARQs. The confidentiality and integrity impacts are limited to the ability to manipulate ARQs across tenants. There are no known exploits in the wild as of the published date. The CVSS v3.1 base score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch information is provided in the vendor advisory or other sources. Users should monitor OpenStack Cyborg vendor advisories for updates addressing this vulnerability. Until a patch is available, restricting access to the Cyborg API to trusted users and limiting authentication to highly trusted accounts may reduce risk. No vendor advisory states that the issue is already mitigated or requires no action.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-10T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd0cdfcbff5d86103e42da
Added to database: 5/7/2026, 10:06:23 PM
Last enriched: 5/7/2026, 10:21:35 PM
Last updated: 5/7/2026, 11:09:21 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.