VIR Vulnerability Intelligence Relay

CVE-2026-49299

unknown
Published 2026-05-28 · Modified 2026-05-29
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
VIR risk

Description

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-49299 NameCVE-2026-49299 DescriptionIn OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron…

CVE-2026-49299

NameCVE-2026-49299
DescriptionIn OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138172

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
neutron (PTS)bullseye (security), bullseye2:17.2.1-0+deb11u1vulnerable
bookworm2:21.0.0-7vulnerable
trixie2:26.0.0-9vulnerable
forky2:27.0.1-6vulnerable
sid2:28.0.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
neutronsource(unstable)2:28.0.0-41138172

Notes

[trixie] - neutron <no-dsa> (Minor issue)
[bookworm] - neutron <no-dsa> (Minor issue)
https://security.openstack.org/ossa/OSSA-2026-016.html

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[trixie] - neutron <no-dsa> (Minor issue)[bookworm] - neutron <no-dsa> (Minor issue)https://security.openstack.org/ossa/OSSA-2026-016.html

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyaffected
debian debiansidfixed2:28.0.0-4
debian debiantrixieaffected

References

CWEs

CWE-863

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.