CVE-2026-49299: CWE-863 Incorrect Authorization in OpenStack Neutron
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
AI Analysis
Technical Summary
OpenStack Neutron before version 28.0.1 contains an authorization flaw (CWE-863) in its tagging controller. The controller enforces plural policy action names for single-tag write operations, but the policy rules are defined with singular names. This discrepancy causes the policy evaluation to default to allowing the action, enabling users with project reader privileges to create and update tags on resources within the same project. This affects Neutron versions 26.0.0, 27.0.0, and 28.0.0.
Potential Impact
The vulnerability permits users with project reader privileges to modify tags on resources within their project, which could lead to unauthorized changes in resource metadata. This may affect resource management and auditing but does not grant broader access or control beyond tag modification. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the OpenStack vendor advisory for current remediation guidance. Until a fix is available, consider reviewing and customizing policy rules to avoid relying on default policies that use plural action names, or restrict project reader permissions as a temporary measure.
CVE-2026-49299: CWE-863 Incorrect Authorization in OpenStack Neutron
Description
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
CVSS v4.0
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenStack Neutron before version 28.0.1 contains an authorization flaw (CWE-863) in its tagging controller. The controller enforces plural policy action names for single-tag write operations, but the policy rules are defined with singular names. This discrepancy causes the policy evaluation to default to allowing the action, enabling users with project reader privileges to create and update tags on resources within the same project. This affects Neutron versions 26.0.0, 27.0.0, and 28.0.0.
Potential Impact
The vulnerability permits users with project reader privileges to modify tags on resources within their project, which could lead to unauthorized changes in resource metadata. This may affect resource management and auditing but does not grant broader access or control beyond tag modification. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the OpenStack vendor advisory for current remediation guidance. Until a fix is available, consider reviewing and customizing policy rules to avoid relying on default policies that use plural action names, or restrict project reader permissions as a temporary measure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-28T21:53:02.642Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a18bf3ae29bf47b50390f2c
Added to database: 5/28/2026, 10:18:34 PM
Last enriched: 5/28/2026, 10:34:21 PM
Last updated: 5/29/2026, 3:23:21 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.