CVE-2026-40213

NameCVE-2026-40213
DescriptionOpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136006

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyborg (PTS)trixie14.0.0-3vulnerable
forky, sid16.0.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyborgsource(unstable)(unfixed)1136006

Notes

https://www.openwall.com/lists/oss-security/2026/05/07/6
Search for package or bug name: Reporting problems