CVE-2026-40213

Name of the Vulnerable Software and Affected Versions OpenStack Cyborg versions prior to 16.0.1

Description Multiple API endpoints use rule:allow (check str='@') as the default policy, which unconditionally authorizes any request containing a valid Keystone token. This occurs regardless of the user's roles, project membership, or scope. Consequently, an authenticated user with no assigned roles can perform various actions, including reprogramming FPGA (Field Programmable Gate Array) bitstreams on arbitrary compute nodes via agent RPC (Remote Procedure Call).

Recommendations Update to version 16.0.1.