CVE-2026-40214 — OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project owners

Description

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

How to fix CVE-2026-40214

To remediate CVE-2026-40214, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 16.0.1 or later

Is CVE-2026-40214 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 16.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40214
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-40214
PATCHgithub.com/openstack/cyborg
WEBbugs.launchpad.net/openstack-cyborg/+bug/2144056
WEB