OpenStack Cyborg 多个访问控制漏洞 (CVE-2026-40213, CVE-2026-40214) 漏洞概述 OpenStack Cyborg 存在多个访问控制漏洞: 1. CVE-2026-40213 (策略绕过):设备、可部署和属性 API 端点未进行无条件检查,允许任何经过身份验证的用户(无论角色或项目范围如何)访问资源。 2. CVE-2026-40214 (所有权缺失):加速器请求 (ARO) 资源缺乏项目所有权强制执行,允许任何经过身份验证的用户枚举、删除或操作属于其他项目的 ARO。 影响范围 组件:Cyborg 受影响版本: >= 3.0.0 = 15.0.0 = 16.0.0 < 16.0.1 修复方案 通过 OpenStack Gerrit 审查系统发布补丁进行修复。以下是相关补丁链接: 1.0/epoxy: https://review.opendev.org/c/openstack/cyborg/+/987698 https://review.opendev.org/c/openstack/cyborg/+/987699 https://review.opendev.org/c/openstack/cyborg/+/987700 https://review.opendev.org/c/openstack/cyborg/+/987701 https://review.opendev.org/c/openstack/cyborg/+/987702 https://review.opendev.org/c/openstack/cyborg/+/987703 2.0/flamingo: https://review.opendev.org/c/openstack/cyborg/+/987692 https://review.opendev.org/c/openstack/cyborg/+/987693 https://review.opendev.org/c/openstack/cyborg/+/987694 https://review.opendev.org/c/openstack/cyborg/+/987695 https://review.opendev.org/c/openstack/cyborg/+/987696 https://review.opendev.org/c/openstack/cyborg/+/987697 https://review.opendev.org/c/openstack/cyborg/+/987687 https://review.opendev.org/c/openstack/cyborg/+/987688 https://review.opendev.org/c/openstack/cyborg/+/987689 https://review.opendev.org/c/openstack/cyborg/+/987690 https://review.opendev.org/c/openstack/cyborg/+/987691 2.0/habiscus: https://review.opendev.org/c/openstack/cyborg/+/987680 https://review.opendev.org/c/openstack/cyborg/+/987681 https://review.opendev.org/c/openstack/cyborg/+/987682 https://review.opendev.org/c/openstack/cyborg/+/987683 https://review.opendev.org/c/openstack/cyborg/+/987684 https://review.opendev.org/c/openstack/cyborg/+/987685 https://review.opendev.org/c/openstack/cyborg/+/987686