In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).

Project Subscriptions

Vendors Products
Openstack Subscribe
Neutron Subscribe
Advisories
Source ID Title
Debian DSA Debian DSA DSA-6340-1 neutron security update
Github GHSA Github GHSA GHSA-qmc5-gv6v-8p22 OpenStack Neutron: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Network-Scoped Port Creation Enables Spoofing in OpenStack Neutron openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies
Weaknesses CWE-639
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 04 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Network-Scoped Port Creation Enables Spoofing in OpenStack Neutron

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
First Time appeared Openstack
Openstack neutron
Weaknesses CWE-863
CPEs cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack neutron
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T17:28:01.143Z

Reserved: 2026-06-04T16:18:38.592Z

Link: CVE-2026-50266

cve-icon Vulnrichment

Updated: 2026-06-04T17:27:46.791Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T17:16:33.517

Modified: 2026-06-04T19:15:17.327

Link: CVE-2026-50266

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-04T16:18:39Z

Links: CVE-2026-50266 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T02:00:12Z

Weaknesses