Medium severity6.3NVD Advisory· Published May 7, 2026· Updated May 8, 2026

CVE-2026-40214

Description

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
openstack-cyborgPyPI	< 16.0.1	16.0.1

Affected products

Pachno/Cyborginferred
Range: <16.0.1
Package: https://pypi.org/project/cyborg

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-mmpc-xjxr-5hf8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-40214ghsaADVISORY
bugs.launchpad.net/openstack-cyborg/+bug/2144056nvdWEB
security.openstack.org/ossa/OSSA-2026-011.htmlnvdWEB
www.openwall.com/lists/oss-security/2026/05/07/6nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000