Source: neutron
Version: 2:26.0.0-9
Severity: important
Tags: patch
As per upstream announcement:
https://security.openstack.org/ossa/OSSA-2026-016.html
OSSA-2026-016: Neutron tagging policy bypass allows project readers to mutate
tags
Date: May 28, 2026
CVE: CVE-2026-pending
Affects: Neutron: >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, >=28.0.0 <28.0.1
Note from maintainer: I've been confirmed on IRC that only versions >= Epoxy
(so Trixie and on, so starting >= 26.0.0) are affected.
Description:
Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s
tagging controller. The controller enforces plural policy action names on
single-tag write operations while the defined policy rules use singular names.
The mismatched names evaluate as allowed under default policy, permitting a
project reader to create and update tags on same-project resources.
Deployments running Neutron 26.0.0 or later are affected.
Patches:
https://review.opendev.org/989376 (2025.1/epoxy)
https://review.opendev.org/989375 (2025.2/flamingo)
https://review.opendev.org/989374 (2026.1/gazpacho)
https://review.opendev.org/989099 (2026.2/hibiscus)
Credits:
Tim Shephard from roiai.ca (CVE-2026-pending)
References:
https://launchpad.net/bugs/2150132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending
Notes:
CVE assignment is pending (MITRE CAN-2026-2030611).
