CVE-2026-50266

LOW 2.2

CVSS Score

2.2

EPSS Score

0.0%

EPSS Percentile

0th

In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).

CWE	CWE-863
Vendor	openstack
Product	neutron
Published	Jun 4, 2026
Last Updated	Jun 4, 2026

Stay Ahead of the Next One

Get instant alerts for openstack neutron

Be the first to know when new low vulnerabilities affecting openstack neutron are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

OpenStack / Neutron

25.0.0 < 25.2.4 26.0.0 < 26.0.4 27.0.0 < 27.0.3 28.0.0 < 28.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

launchpad.net: https://launchpad.net/bugs/2152115 review.opendev.org: https://review.opendev.org/990273 review.opendev.org: https://review.opendev.org/990353 review.opendev.org: https://review.opendev.org/990356 openwall.com: https://www.openwall.com/lists/oss-security/2026/06/04/6 bugs.launchpad.net: https://bugs.launchpad.net/neutron/+bug/2152115