CVE-2026-40214: OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer

May 8, 2026 (updated May 13, 2026)

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller’s project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects’ instances, aka cross-tenant denial of service.

References

bugs.launchpad.net/openstack-cyborg/+bug/2144056
github.com/advisories/GHSA-mmpc-xjxr-5hf8
nvd.nist.gov/vuln/detail/CVE-2026-40214
security.openstack.org/ossa/OSSA-2026-011.html
www.openwall.com/lists/oss-security/2026/05/07/6

Code Behaviors & Features

Detect and mitigate CVE-2026-40214 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →