Tim Shephard

Researcher fromroiai.ca
#12919of 53,622
20.7Total CVSS
Vulnerabilities · 3
Medium
1
High
2
PT-2026-46260
7.4
2026-06-04
Openstack · Oslo.Messaging · CVE-2026-44393
**Name of the Vulnerable Software and Affected Versions** oslo.messaging versions 1.0.0 through 17.3.0 **Description** The RabbitMQ driver in oslo.messaging fails to perform TLS hostname verification when connecting to the message broker. While the driver enables certificate chain validation when `ssl ca file` is configured, it does not pass the expected broker hostname to the TLS stack. Consequently, any certificate signed by the deployment CA is accepted regardless of the hostname. This allows an attacker capable of intercepting control-plane traffic to impersonate the RabbitMQ broker and execute a man-in-the-middle attack on RPC and notification traffic. All OpenStack services utilizing oslo.messaging with RabbitMQ over TLS are impacted. **Recommendations** Update to version 18.1.0-1.1 or later.
PT-2026-44555
5.3
2026-05-28
Openstack · Neutron · CVE-2026-49299
**Name of the Vulnerable Software and Affected Versions** OpenStack Neutron versions 26.0.0 through 28.0.0 **Description** The tagging controller enforces plural policy action names on single-tag write operations, whereas the defined policy rules use singular names. This mismatch causes the default policy to evaluate the actions as allowed, enabling a project reader to create and update tags on resources within the same project. **Recommendations** Update to version 28.0.1.
PT-2026-36306
8.0
2026-05-01
Openstack · Openstack Keystone · CVE-2026-43001
**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions 13 through 29 **Description** An issue exists where the 'POST /v3/credentials' endpoint fails to validate that the `project id` provided by the caller for an EC2-type credential matches the project of the authenticating application credential. This allows an attacker with an unrestricted application credential for one project to create an EC2 credential targeting a different project. A subsequent exchange via '/v3/ec2tokens' can then issue a Keystone token scoped to the target project while retaining the original `app cred id`, enabling cross-project lateral movement within the role footprint of the credential owner. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.