CVE-2026-49299

Vulnerability Description

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

Vulnerability Details

Published Date

May 28, 2026

Last Modified

May 28, 2026

CWE ID

CWE-863

Source

NVD

Vendor

OpenStack

Product

Neutron

External References

https://bugs.launchpad.net/bugs/2150132
https://review.opendev.org/c/openstack/neutron/+/989099
https://www.openwall.com/lists/oss-security/2026/05/28/8

CVE-2026-49299

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment