CVE-2026-49299

CVE Database · CVE-2026-49299

CVE-2026-49299

· N/ADeferred

CVSS v3.1

N/A

CVSS v4.0

5.3

EPSS

0.25%

Published

May 28, 2026

Modified

May 29, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

Weaknesses (CWE)

CWE-863

References (3)

https://bugs.launchpad.net/bugs/2150132

https://review.opendev.org/c/openstack/neutron/+/989099

https://www.openwall.com/lists/oss-security/2026/05/28/8

KEV Catalog EPSS Scores Vendors All CVEs