CVE-2026-40214

Name of the Vulnerable Software and Affected Versions OpenStack Cyborg versions prior to 16.0.1

Description The Accelerator Request (ARQ) API fails to enforce project ownership. The project id database column remains unpopulated, database queries lack project filtering, and policy checks are self-referential because the authorize wsgi function compares the caller's project id with itself instead of the target resource. This allows any authenticated non-admin user to perform actions, such as deleting ARQs associated with instances from other projects, leading to a cross-tenant denial of service.

Recommendations Update to version 16.0.1.