CVE-2026-43002: OpenStack Horizon has Incorrect Behavior Order

May 5, 2026 (updated May 8, 2026)

An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix.

References

bugs.launchpad.net/horizon/+bug/2150331
github.com/advisories/GHSA-vxvf-xvm3-p8j5
github.com/openstack/horizon
nvd.nist.gov/vuln/detail/CVE-2026-43002
security.openstack.org/ossa/OSSA-2026-009.html
www.openwall.com/lists/oss-security/2026/05/05/7

Code Behaviors & Features

Detect and mitigate CVE-2026-43002 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →