CVE-2026-50266 OpenStack CVE debrief

Who should care

Users of OpenStack Neutron, particularly those with shared networks and multiple projects, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has 'network:' at the beginning. The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network.

Defensive priority

Low

Recommended defensive actions

• Upgrade to OpenStack Neutron version 28.0.1 or later.
• Review and update the default port RBAC policies to require network ownership.

Evidence notes

This vulnerability is a regression of CVE-2015-5240 (OSSA-2015-018).

Official resources