CVE-2026-50266

NameCVE-2026-50266
DescriptionIn OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6340-1
Debian Bugs1138844

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
neutron (PTS)bullseye (security), bullseye2:17.2.1-0+deb11u1fixed
bookworm2:21.0.0-7fixed
trixie2:26.0.0-9vulnerable
trixie (security)2:26.0.3-0+deb13u2fixed
forky2:27.0.1-6vulnerable
sid2:28.0.0-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
neutronsourcebullseye(not affected)
neutronsourcebookworm(not affected)
neutronsourcetrixie2:26.0.3-0+deb13u2DSA-6340-1
neutronsource(unstable)2:28.0.0-71138844

Notes

[bookworm] - neutron <not-affected> (Vulnerable code not present)
[bullseye] - neutron <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2026/06/04/6
https://security.openstack.org/ossa/OSSA-2026-021.html
https://launchpad.net/bugs/2152115
Search for package or bug name: Reporting problems