CVE-2026-40213 — OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multi

Description

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

How to fix CVE-2026-40213

To remediate CVE-2026-40213, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 16.0.1 or later

Is CVE-2026-40213 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 16.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40213
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-40213
PATCHgithub.com/openstack/cyborg
WEBbugs.launchpad.net/openstack-cyborg/+bug/2143263
WEB