CVE-2026-49299

NameCVE-2026-49299
DescriptionIn OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138172

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
neutron (PTS)bullseye (security), bullseye2:17.2.1-0+deb11u1vulnerable
bookworm2:21.0.0-7vulnerable
trixie2:26.0.0-9vulnerable
forky2:27.0.1-6vulnerable
sid2:28.0.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
neutronsource(unstable)2:28.0.0-41138172

Notes

[trixie] - neutron <no-dsa> (Minor issue)
[bookworm] - neutron <no-dsa> (Minor issue)
https://security.openstack.org/ossa/OSSA-2026-016.html
Search for package or bug name: Reporting problems