VYPR
Medium severityNVD Advisory· Published May 28, 2026· Updated Jun 2, 2026

CVE-2026-49299

CVE-2026-49299

Description

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • OpenStack/Neutroninferred2 versions
    < 28.0.1, >= 26.0.0+ 1 more
    • (no CPE)range: < 28.0.1, >= 26.0.0
    • (no CPE)range: <28.0.1

Patches

Vulnerability mechanics

References

4

News mentions

1