Fluid Attacks Database

Description

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 13	cyborg	=14.0.0-3 \|\| =15.0.0-1 \|\| =15.0.0~rc1-1 \|\| =15.0.0~rc1-2 \|\| =15.0.0~rc1-3 \|\| =16.0.0-1 \|\| =16.0.0-2 \|\| =16.0.0~rc1-1 \|\| =16.0.0~rc1-2 \|\| =16.0.0~rc2-1
debian 14	cyborg	=14.0.0-3 \|\| =15.0.0-1 \|\| =15.0.0~rc1-1 \|\| =15.0.0~rc1-2 \|\| =15.0.0~rc1-3 \|\| =16.0.0-1 \|\| =16.0.0-2 \|\| =16.0.0~rc1-1 \|\| =16.0.0~rc1-2 \|\| =16.0.0~rc2-1

Aliases

1. CVE-2026-402142. NVD-2026-402143. OSV-DEBIAN-2026-402144. OSV-2026-402145. SECURITY-TRACKER-CVE-2026-40214

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.