OpenStack Cyborg ARK API Missing Project Ownership Leads to Info Disclosure and DoS (CVE-2026-40214)

Vulnerability Summary: Cyborg ARK API Lack of Project Ownership Tracking Vulnerability Overview Vulnerability ID: CVE-2026-40214 Title: [OSSA-2026-011] Cyborg ARK API lacks project ownership tracking, leading to cross-tenant information disclosure and denial of service Severity: Critical Description: Cyborg’s Accelerator Request (ARK) API does not enforce project ownership at any level. The column in the table is never populated (always NULL). Database queries lack project filtering. Policy checks are "self-referential" (i.e., the decorator compares the caller's with itself, rather than the target resource's). Impact: Any authenticated non-admin user can: 1. List ARKs across all projects (leading to cross-tenant information disclosure of instance UUIDs, hostnames, PCI addresses, and device profiles). 2. Delete ARKs bound to instances in other projects (leading to cross-tenant denial of service, preventing victims from restarting their VMs). 3. Manipulate ARK bindings associated with instances (as they are not enforced). Additional Issues: The (show) endpoint is broken due to the missing method. The Microversion 2.1 PATCH endpoint allows spoofing, where callers can specify an arbitrary without administrator role verification. Affected Versions: All versions since Train (3.0.6). Scope Affected Project: Cyborg (OpenStack) Affected Branches/Versions: 2024.2 (In Progress) 2025.1 (In Progress) 2025.2 (In Progress) 2026.1 (In Progress) 2026.2 (Fix Released) Security Advice: An OpenStack Security Advisory (OSSA) has been released, recommending an upgrade and patch application. Remediation Core Fixes: Populate at the database level. Implement correct policy checks to ensure operation permissions are based on the target resource's ownership, not the caller's own identity. Fix the endpoint. Remove spoofing capability or add administrator role checks in the Microversion 2.1 PATCH endpoint. Patch Files: Test Scripts: Related Patches**: This fix depends on another patch (to populate for existing ARKs). POC/Exploit Code The following code block is from attachment and demonstrates the full exploit chain: The following code block is from attachment and demonstrates spoofing:

Goal Reached Thanks to every supporter — we hit 100%!

OpenStack Cyborg ARK API Missing Project Ownership Leads to Info Disclosure and DoS (CVE-2026-40214)

More from this source