{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50266", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-06-04T16:18:38.592Z", "datePublished": "2026-06-04T16:18:39.167Z", "dateUpdated": "2026-06-04T17:28:01.143Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Neutron", "repo": "https://opendev.org/openstack/neutron", "vendor": "OpenStack", "versions": [{"lessThan": "25.2.4", "status": "affected", "version": "25.0.0", "versionType": "semver"}, {"lessThan": "26.0.4", "status": "affected", "version": "26.0.0", "versionType": "semver"}, {"lessThan": "27.0.3", "status": "affected", "version": "27.0.0", "versionType": "semver"}, {"lessThan": "28.0.1", "status": "affected", "version": "28.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has \"network:\" at the beginning (\"network:dhcp\" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-04T16:18:39.167Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://launchpad.net/bugs/2152115"}, {"tags": ["patch"], "url": "https://review.opendev.org/990273"}, {"tags": ["patch"], "url": "https://review.opendev.org/990353"}, {"tags": ["patch"], "url": "https://review.opendev.org/990356"}, {"url": "https://www.openwall.com/lists/oss-security/2026/06/04/6"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "versionStartIncluding": "25.0.0", "versionEndExcluding": "25.2.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0.0", "versionEndExcluding": "26.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "versionStartIncluding": "27.0.0", "versionEndExcluding": "27.0.3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "versionStartIncluding": "28.0.0", "versionEndExcluding": "28.0.1"}]}]}]}, "adp": [{"references": [{"url": "https://bugs.launchpad.net/neutron/+bug/2152115", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-04T17:27:57.789824Z", "id": "CVE-2026-50266", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-04T17:28:01.143Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-50266", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-04T17:27:57.789824Z"}}}], "references": [{"url": "https://bugs.launchpad.net/neutron/+bug/2152115", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-04T17:27:46.791Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://opendev.org/openstack/neutron", "vendor": "OpenStack", "product": "Neutron", "versions": [{"status": "affected", "version": "25.0.0", "lessThan": "25.2.4", "versionType": "semver"}, {"status": "affected", "version": "26.0.0", "lessThan": "26.0.4", "versionType": "semver"}, {"status": "affected", "version": "27.0.0", "lessThan": "27.0.3", "versionType": "semver"}, {"status": "affected", "version": "28.0.0", "lessThan": "28.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://launchpad.net/bugs/2152115", "tags": ["issue-tracking"]}, {"url": "https://review.opendev.org/990273", "tags": ["patch"]}, {"url": "https://review.opendev.org/990353", "tags": ["patch"]}, {"url": "https://review.opendev.org/990356", "tags": ["patch"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/06/04/6"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has \"network:\" at the beginning (\"network:dhcp\" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "25.2.4", "versionStartIncluding": "25.0.0"}, {"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "26.0.4", "versionStartIncluding": "26.0.0"}, {"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "27.0.3", "versionStartIncluding": "27.0.0"}, {"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "28.0.1", "versionStartIncluding": "28.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-04T16:18:39.167Z"}}}, "cveMetadata": {"cveId": "CVE-2026-50266", "state": "PUBLISHED", "dateUpdated": "2026-06-04T17:28:01.143Z", "dateReserved": "2026-06-04T16:18:38.592Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-06-04T16:18:39.167Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has \"network:\" at the beginning (\"network:dhcp\" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018)."}], "id": "CVE-2026-50266", "lastModified": "2026-06-04T19:15:17.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-06-04T17:16:33.517", "references": [{"source": "cve@mitre.org", "url": "https://launchpad.net/bugs/2152115"}, {"source": "cve@mitre.org", "url": "https://review.opendev.org/990273"}, {"source": "cve@mitre.org", "url": "https://review.opendev.org/990353"}, {"source": "cve@mitre.org", "url": "https://review.opendev.org/990356"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/06/04/6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://bugs.launchpad.net/neutron/+bug/2152115"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies", "id": "2484852", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484852"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-639", "details": ["In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has \"network:\" at the beginning (\"network:dhcp\" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).", "A flaw was found in OpenStack Neutron. A project manager can exploit this vulnerability by creating or updating a port on a shared network and setting the device_owner to a specific value. This bypasses default access controls, allowing the project manager to obtain trusted network-service port behavior. This can enable DHCP, MAC, or IP spoofing against other tenants on the shared network, potentially leading to information disclosure or disruption of network services."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-50266", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-06-04T16:18:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-50266\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-50266\nhttps://launchpad.net/bugs/2152115\nhttps://review.opendev.org/990273\nhttps://review.opendev.org/990353\nhttps://review.opendev.org/990356\nhttps://www.openwall.com/lists/oss-security/2026/06/04/6"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.0.0,25.2.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[26.0.0,26.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[27.0.0,27.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Neutron", "source": "cna", "vendor": "OpenStack"}, "product": "neutron", "vendor": "openstack"}], "created": "2026-06-04T18:00:13.432855+00:00", "updated": "2026-06-12T02:00:12.831943+00:00", "vendors": ["openstack", "openstack$PRODUCT$neutron"]}