VYPR
← All advisories
Medium severityNVD Advisory· Published May 28, 2026

CVE-2026-49299

CVE-2026-49299

Description

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Neutron tagging controller enforces plural policy names on single-tag writes, mismatching singular policy rules, allowing project readers to create/update tags on same-project resources.

Vulnerability

The Neutron tagging controller in OpenStack Neutron before versions 28.0.1, 27.0.3, and 26.0.4 enforces plural policy action names (e.g., create_networks:tags) on single-tag write operations (POST/PUT to /.../tags and /.../tags/{tag}), while the defined policy rules use singular names (e.g., create_network:tags). This mismatch causes the plural names to evaluate as allowed under the default policy, bypassing the intended singular restrictions. The bug lives in neutron/neutron/extensions/tagging.py at lines 224 and 241, where it constructs action names from the pluralized resource type (rinfo.obj_type values like networks, ports, floatingips). Affected deployments run Neutron 26.0.0 or later, up to the fixed versions [1][2].

Exploitation

An attacker needs network access to the Neutron API and a valid project reader role (or any role with read access on the same project). No additional authentication or user interaction is required. The attacker sends a POST request to /networks/{network_id}/tags with a JSON body containing a single tag string (e.g., {"tags": ["reader-post"]}). The controller responds with 200 OK and the tag is created. Similarly, a PUT request to /networks/{network_id}/tags/{tag} with the same tag string creates or updates that tag. The attacker can repeat these operations to mutate tags on any network, port, or floating IP resource within their project. The bulk path /networks/{network_id}/tags.json remains correctly denied under the singular policy rules [1][2].

Impact

A project reader gains the ability to create and update tags on same-project network, port, and floating IP resources, which should be restricted to project members or admins. This violates the intended access control policy and could lead to unauthorized metadata changes, potentially affecting resource classification, network segmentation, or other tag-dependent operations. The privilege escalation is limited to tag mutation within the attacker's project; no cross-project or admin-level access is achieved.

Mitigation

Fixed versions are Neutron 28.0.1, 27.0.3, and 26.0.4, released on 2026-05-28. The fix aligns the controller action names with the singular policy names by modifying neutron/neutron/extensions/tagging.py to use the singular form. Deployments should upgrade to these versions. No workaround exists; the bug is inherent in the controller design. The vulnerability is not listed in KEV as of this writing [1][2].

References
  1. security - [OSSA-2026-016] OpenStack Neutron: Tagging policy bypass allows project readers to mutate tags (CVE-2026-pending)
  2. Bug #2150132 “[OSSA-2026-016] Neutron tagging single-tag create ...” : Bugs : neutron

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenStack/Neutroninferred2 versions
    < 28.0.1, >= 26.0.0+ 1 more
    • (no CPE)range: < 28.0.1, >= 26.0.0
    • (no CPE)range: >=26.0.0, <28.0.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Plural policy action names in the tagging controller do not match the singular names defined in policy rules, causing single-tag write operations to bypass authorization."

Attack vector

An attacker with a project-reader role can send a `POST /networks/{id}/tags` or `PUT /networks/{id}/tags/{tag}` request to create or update tags on same-project resources. The controller enforces the plural policy name (e.g., `create_networks:tags`), which does not match any defined rule and therefore evaluates as allowed under the default policy. The bulk write path (`PUT /networks/{id}/tags`) correctly enforces the singular policy name and denies the same reader, confirming the mismatch is the sole bypass [ref_id=1].

Affected code

The bug is in the custom tagging controller at `neutron/neutron/extensions/tagging.py:224` and `neutron/neutron/extensions/tagging.py:241`, where policy action names are built from the plural collection key (`rinfo.obj_type` yields values like `networks`, `ports`, `floatingips`). The policy rule definitions in files such as `neutron/neutron/conf/policies/network.py:184` and `neutron/neutron/conf/policies/port.py:330` use singular names (e.g., `create_network:tags`), creating a mismatch [ref_id=1].

What the fix does

The advisory does not include a published patch diff, but identifies the root cause as a regression from commit https://review.opendev.org/c/openstack/neutron/+/938135, which renamed policy rules to singular form but only partially updated the custom tagging controller [ref_id=1]. The fix would require changing the policy action name construction in `neutron/neutron/extensions/tagging.py` to use singular names (e.g., `create_network:tags` instead of `create_networks:tags`) to match the defined policy rules. Deployments should upgrade to Neutron 28.0.1 or later when available.

Preconditions

  • authAttacker must have a project-reader role (or equivalent) on the same OpenStack project as the target resource
  • inputTarget resource must be a tagged resource family (network, port, floating IP, etc.)
  • configDeployment must run Neutron 26.0.0 or later

Reproduction

The reference write-up includes reproduction steps with example requests [ref_id=1]:

1. As a project reader, send `POST /networks/{network-id}/tags.json` with `{"tags": ["reader-post"]}` — observe 200 OK. 2. Send `PUT /networks/{network-id}/tags/reader-put.json` — observe 201 Created. 3. Send `GET /networks/{network-id}/tags.json` — observe the tags were mutated. 4. As a control, send `PUT /networks/{network-id}/tags.json` (bulk path) — observe 403 Forbidden, confirming the bulk path correctly enforces the singular policy.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.