CVE-2026-50266

Vulnerability

In OpenStack Neutron before version 28.0.1, a project manager can create or update a port on a shared network owned by another project. By setting the device_owner to a value starting with "network:" (e.g., network:dhcp), they can exploit a flaw in the default port RBAC policies. These policies incorrectly granted PROJECT_MANAGER permissions without requiring network ownership, allowing any project manager to assign trusted network-service port behavior to their ports on shared networks [1, 2].

Exploitation

An attacker with project manager privileges can exploit this vulnerability by creating or updating a port on a shared network that they do not own. They must set the device_owner attribute to a value beginning with "network:", such as network:dhcp. The default RBAC policies allow this action if the user is a project manager, even if they are not the owner of the network [2].

Impact

Successful exploitation allows a project manager to obtain trusted network-service port behavior on shared networks. Depending on the specific backend and deployment configuration, this can lead to bypassing anti-spoofing and security group protections. The attacker can then perform DHCP, MAC, or IP spoofing attacks against other tenants sharing the same network [1, 2]. This is a regression of CVE-2015-5240 [2].

Mitigation

The vulnerability is fixed in OpenStack Neutron versions 25.2.4, 26.0.4, 27.0.3, and 28.0.1. Users are advised to upgrade to a fixed version. No workarounds are specified in the available references. The affected versions include Neutron 25.0.0 through 25.2.3, 26.0.0 through 26.0.3, 27.0.0 through 27.0.2, and 28.0.0 [1].