VYPR

PyPI package

openstack-cyborg

pkg:pypi/openstack-cyborg

Vulnerabilities (2)

  • CVE-2026-40214MedMay 7, 2026
    affected < 16.0.1fixed 16.0.1

    In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential

  • CVE-2026-40213HigMay 7, 2026
    affected < 16.0.1fixed 16.0.1

    OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role ass