LOW 2.2

CVE-2026-50266: OpenStack Neutron Multi-Tenant RBAC Bypass and Network Spoofing

A flaw in OpenStack Neutron versions before 28.0.1 allows project managers to perform network spoofing attacks on shared networks. The vulnerability stems from overly permissive role-based access control (RBAC) policies that allow any project manager to create or modify ports on networks they don't own, and crucially, to assign those ports special "trusted" network service identities (like DHCP servers). This bypasses normal anti-spoofing rules and security group protections, enabling attackers to spoof DHCP, MAC, or IP addresses to target other tenants sharing the same network. This is a reintroduction of a vulnerability that was supposedly fixed nearly a decade ago.

Source data · NVD / CISA · public domain

CVSS
3.1 · 2.2 LOW · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-863
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-50266 is a regression in Neutron's port RBAC policy enforcement. The default policies incorrectly permit the PROJECT_MANAGER role to create or update ports on shared networks without validating network ownership. An attacker with project manager privileges can set the device_owner field to values prefixed with "network:" (for example, "network:dhcp"), which designates a port as a trusted network service port. This designation normally applies only to ports created by infrastructure, yet the policy enforcement gap allows cross-project application. On deployments using certain backend drivers, this circumvents anti-spoofing rules (typically enforced via port security or firewall rules) and security group filtering, enabling Layer 2 and Layer 3 spoofing attacks. CWE-863 (Incorrect Authorization) categorizes the underlying flaw.

Business impact

The practical risk depends heavily on deployment architecture. In multi-tenant environments where different projects share network infrastructure, a compromised or malicious project manager account could disrupt other tenants by injecting rogue DHCP responses, flooding with spoofed traffic, or hijacking IP addressing. This erodes tenant isolation guarantees and can violate compliance requirements around workload separation. However, the low CVSS score reflects that exploitation requires high privilege (project manager role) and specific backend configurations; the impact is primarily integrity-focused (traffic manipulation) rather than confidentiality or availability loss. Organizations with strict role-based access controls limiting who holds project manager status will see reduced risk.

Affected systems

OpenStack Neutron versions before 28.0.1 are vulnerable. The affected vendor data was not provided in the source; verify against OpenStack security advisories for the complete list of affected releases and any backported versions for older stable branches. Deployments running Neutron 28.0.1 or later are patched.

Exploitability

Exploitation requires an authenticated account with project manager role privileges, which is a high barrier for external attackers but straightforward for insider threats or compromised admin credentials. The CVSS vector (AC:H, PR:H) reflects this: access is network-based but with high privilege and complex preconditions. Real-world exploitation likelihood is moderate; the attack surface is limited to multi-tenant clouds where projects share networks and attackers have elevated roles. No public exploit code is known, and the vulnerability requires knowledge of OpenStack internals to weaponize effectively.

Remediation

Upgrade Neutron to version 28.0.1 or later. The fix corrects the RBAC policy to enforce network ownership checks before permitting device_owner assignment with "network:" prefixes. Administrators should review and test the patch in a staging environment, particularly if custom RBAC policies have been defined. As an interim mitigation, restrict project manager role assignments to trusted personnel and audit port creation activity on shared networks.

Patch guidance

Apply Neutron 28.0.1 or a newer release. Verify the patch version against the OpenStack security advisory (OSSA-2026-XXX or equivalent) to confirm the fix addresses CVE-2026-50266. Test in a non-production environment to ensure no disruption to existing port configurations or network policies. If running a supported stable branch (e.g., 27.x), verify that a backported patch is available before upgrading to the next major version.

Detection guidance

Monitor Neutron audit logs and API calls for port creation or update operations on shared networks by non-network-owning projects, particularly those setting device_owner to values beginning with "network:". Use OpenStack's port event notifications or Audit middleware to flag cross-project port modifications. Review port configurations via 'openstack port list' and 'openstack port show' to identify any anomalous device_owner assignments. In environments with security monitoring, correlate Neutron API calls with Layer 2 traffic anomalies (unexpected DHCP responses, spoofed MAC addresses) that may indicate exploitation.

Why prioritize this

Although CVSS is LOW, this vulnerability warrants attention because it is a regression of a previously fixed issue (CVE-2015-5240), suggesting a gap in test coverage or review processes. It directly undermines multi-tenant isolation boundaries, a foundational security principle in cloud environments. Organizations with strict isolation requirements or regulatory mandates around workload separation should prioritize patching. Insider threat scenarios and compromised admin accounts elevate practical risk beyond the numerical score.

Risk score, explained

The CVSS 3.1 score of 2.2 (LOW) reflects the requirement for high privilege (project manager role) to trigger the vulnerability and the limited scope of impact (integrity of network traffic, not confidentiality or availability). The complex access conditions (AC:H) and assumption of no user interaction further suppress the score. However, the score does not account for the high business impact in multi-tenant environments where tenant isolation is critical, nor does it capture the reversion of a prior fix—context that security teams should layer into their own risk assessments.

Frequently asked questions

Is this the same as CVE-2015-5240?

No, but it is a regression of the same vulnerability. CVE-2015-5240 was patched years ago, but a code or policy change in Neutron reintroduced the flaw. The new CVE-2026-50266 indicates the vulnerability was accidentally brought back, suggesting a need for review of patch coverage and automated testing.

Can I mitigate this without upgrading if I restrict project manager roles?

Partially. If you limit project manager privileges to a small, trusted group and audit their port modifications closely, you reduce exploitation likelihood. However, this is not a complete fix; the underlying RBAC flaw remains. Upgrade to 28.0.1 or later as the permanent solution.

Does this affect single-tenant or private OpenStack clouds?

No. The vulnerability only applies to multi-tenant environments where multiple projects share a network. Single-tenant or fully isolated deployments are not affected because there is no cross-project attack surface.

How can I detect if this was exploited in my environment?

Look for Neutron API logs of port updates on shared networks by non-owning projects, and correlate them with anomalous Layer 2 or Layer 3 traffic (unsolicited DHCP responses, MAC spoofing, IP conflicts). Review the device_owner field of existing ports for unexpected "network:" prefixes created by non-infrastructure accounts.

This analysis is provided for informational purposes and reflects publicly available CVE data as of the publication date. The CVSS score and affected product versions are sourced from the OpenStack security advisory; verify current patch availability and compatibility with your deployment before applying updates. This vulnerability requires authenticated access with project manager privileges; assess your organization's role-based access controls accordingly. No guarantee is made regarding the completeness or accuracy of detection guidance in all OpenStack configurations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).