PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49299 OpenStack CVE debrief

A policy name mismatch in OpenStack Neutron's tagging controller allows project readers to create and update resource tags. The controller enforces plural policy action names (e.g., 'create_tags') while the policy rules use singular names (e.g., 'create_tag'). Under Neutron's default policy, mismatched names evaluate as allowed, granting unauthorized write access to tags on same-project resources. This affects deployments running Neutron 26.0.0 through 28.0.0.

Vendor
OpenStack
Product
Neutron
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Cloud infrastructure operators running OpenStack Neutron 26.0.0 or later; security teams managing multi-tenant OpenStack deployments; compliance officers responsible for access control audits in private cloud environments.

Technical summary

The vulnerability exists in OpenStack Neutron's tagging controller, which handles metadata tag operations on network resources. The controller implements policy enforcement using plural action names ('create_tags', 'update_tags', 'delete_tags', 'get_tags'), but the policy rules defined in Neutron's policy files use singular names ('create_tag', 'update_tag', 'delete_tag', 'get_tag'). When the controller attempts to enforce a policy action that does not exist in the policy definition, Neutron's policy engine defaults to allowing the action. This behavior, present since Neutron 26.0.0, permits any user with the 'reader' role on a project to create and modify tags on resources within that project, contrary to the intended access controls. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and low integrity impact on the vulnerable component.

Defensive priority

medium

Recommended defensive actions

  • Upgrade OpenStack Neutron to version 28.0.1 or later to resolve the policy enforcement mismatch.
  • If immediate patching is not feasible, review and customize Neutron policy.json or policy.yaml to explicitly deny 'create_tag' and 'update_tag' actions for the 'reader' role on affected resources.
  • Audit existing resource tags in affected projects to identify any unauthorized modifications made prior to remediation.
  • Monitor Neutron API logs for unexpected tag creation or update operations by project reader users.
  • Verify that custom policy overrides do not inadvertently reintroduce the vulnerable default behavior.

Evidence notes

The vulnerability stems from a naming inconsistency introduced in Neutron 26.0.0 when the tagging controller was implemented. The controller code references plural policy action names that do not exist in the policy definition files, causing the default 'allow' behavior to apply. The fix in version 28.0.1 aligns the controller's policy enforcement with the actual policy rule names.

Official resources

2026-05-28