High severity7.4NVD Advisory· Published May 7, 2026· Updated May 8, 2026
CVE-2026-40213
CVE-2026-40213
Description
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openstack-cyborgPyPI | < 16.0.1 | 16.0.1 |
Affected products
1Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.