GHSA-xv24-hxh9-2hh9Medium

OpenStack Neutron has an Incorrect Authorization issue

Published
May 29, 2026
Last Modified
July 2, 2026

🔗 CVE IDs covered (1)

📋 Description

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

🎯 Affected products3

  • pip/neutron:>= 28.0.0, < 28.0.1
  • pip/neutron:>= 27.0.0, < 27.0.3
  • pip/neutron:>= 26.0.0, < 26.0.4

🔗 References (6)