Fluid Attacks Database

Description

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 13	cyborg	=14.0.0-3 \|\| =15.0.0-1 \|\| =15.0.0~rc1-1 \|\| =15.0.0~rc1-2 \|\| =15.0.0~rc1-3 \|\| =16.0.0-1 \|\| =16.0.0-2 \|\| =16.0.0~rc1-1 \|\| =16.0.0~rc1-2 \|\| =16.0.0~rc2-1
debian 14	cyborg	=14.0.0-3 \|\| =15.0.0-1 \|\| =15.0.0~rc1-1 \|\| =15.0.0~rc1-2 \|\| =15.0.0~rc1-3 \|\| =16.0.0-1 \|\| =16.0.0-2 \|\| =16.0.0~rc1-1 \|\| =16.0.0~rc1-2 \|\| =16.0.0~rc2-1

Aliases

1. CVE-2026-402132. NVD-2026-402133. OSV-DEBIAN-2026-402134. OSV-2026-402135. SECURITY-TRACKER-CVE-2026-40213

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.