#1138844 OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to set trusted device owners on shared networks (CVE-2026-50266)

Package:
src:neutron
Source:
src:neutron
Submitter:
Thomas Goirand
Date:
2026-06-15 16:11:01 UTC
Severity:
normal
Tags:
#1138844#5
Date:
2026-06-04 15:18:56 UTC
From:
To:
Copying upstream announce form here:
https://security.openstack.org/ossa/OSSA-2026-021.html


Date: June 04, 2026
CVE: CVE-2026-pending
Affects: Neutron: >=25.0.0 <25.2.4, >=26.0.0 <26.0.4, >=27.0.0 <27.0.3, ==28.0.0
Note from packaging maintainer: Only Trixie Sid/Testing.
Description:

Tim Shephard from roiai.ca reported a policy enforcement bypass in Neutron’s
default port RBAC rules. A project manager can create or update a port on a
shared network owned by another project and set device_owner to a trusted
network-service value such as network:dhcp. Depending on backend and
deployment, this can bypass anti-spoofing and security group protections. This
is a regression of CVE-2015-5240 (OSSA-2015-018) introduced by the manager
role support change. Deployments running Neutron 25.0.0 or later are affected.

Patches:
https://review.opendev.org/991523 (2025.1/epoxy)
https://review.opendev.org/990356 (2025.2/flamingo)
https://review.opendev.org/990353 (2026.1/gazpacho)
https://review.opendev.org/990273 (2026.2/hibiscus)

Credits:
    Tim Shephard from roiai.ca (CVE-2026-pending)

References:
https://launchpad.net/bugs/2152115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending

Notes:
    A CVE request has been filed with MITRE (CAN-2026-2030702).
    This is a regression of CVE-2015-5240 (OSSA-2015-018).
#1138844#8
Date:
2026-06-04 15:52:36 UTC
From:
To:
Hello,

Bug #1138844 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/neutron/-/commit/2e7c5773b52fefcf0b0b88cdf2f0d46f7348ef39
------------------------------------------------------------------------
* OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to
    set trusted device owners on shared networks. Added upstream patch: Fix
    port RBAC policies to require network ownership (Closes: #1138844).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1138844
#1138844#15
Date:
2026-06-04 16:05:21 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138844@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 03 Jun 2026 13:37:21 +0200
Source: neutron
Architecture: source
Version: 2:28.0.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138844
Changes:
 neutron (2:28.0.0-7) unstable; urgency=medium
 .
   * Updated neutron-keepalived-state-change_as_dash_script.patch.
   * OSSA-2026-021: Neutron port RBAC policy bypass allows project managers to
     set trusted device owners on shared networks. Added upstream patch: Fix
     port RBAC policies to require network ownership (Closes: #1138844).
Checksums-Sha1:
 395e723359106677ceb19610e95a4dc078d1f05d 4929 neutron_28.0.0-7.dsc
 828746e8ecbbe2aeefdb2048f12d270d7f9c2f2a 54932 neutron_28.0.0-7.debian.tar.xz
 b165ed161422728bd88941afb89f2b97d17dca49 22359 neutron_28.0.0-7_amd64.buildinfo
Checksums-Sha256:
 c4bd87d2e7de388e4c1cff46168a088c31a64787365fba8fb3c4663fb964a892 4929 neutron_28.0.0-7.dsc
 3f0f0b5b60ec99165365265e6224555388ff34aab6413c11d8153b15d3b5e233 54932 neutron_28.0.0-7.debian.tar.xz
 d4b499bc5f055a4724edaabb8ffc211d7449bdab9843c82e48abbe47df48d298 22359 neutron_28.0.0-7_amd64.buildinfo
Files:
 3837eee82535c68a2ad211b853b22ee1 4929 net optional neutron_28.0.0-7.dsc
 eedde683daf39690149e2278d76ca419 54932 net optional neutron_28.0.0-7.debian.tar.xz
 d4187b48802b6b60b7ab739b302cd28a 22359 net optional neutron_28.0.0-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIyBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmohn0gACgkQ1BatFaxr
Q/5l4g/4h5CDqcS8i+LX6SlsDREjMtIqTIFqdptuXsRv+n0+vV1hnXIco+fRKoh+
EAImXihgo2ivpShGE27ir9DQgvtG5Fg0HzomwlFo98e5jjTqfx5ZHuNZULXZNEj3
B8mjw1n5XWBSYx4SQBKIaLXh3RqUfCqfgAcOP5sE+B4dzQPTK/OvKW31bmW4XUqO
r8qS6pwVN8MMjJdzXM3SE62MPMeG592gMrCNo3hBJlbC5RhaeMFxIyL9rp6S/YQg
nb+7UzU/vRjQTNTDLcTv1aLt3muRuzfkXT/ISAOTXdhQKtNsCUmMo7toYCCf6TK3
qaexWnDRslXPCSldH85y+ovw1B9Sb7+4UVrTCrHx9qmK1TyOTkDyUHocadyAixwQ
E1NkxkybYhZz7A6lINgFIeB/lse0dWBisexp9OiicGhpPHpDptdpBY6XzuTjqQ3V
akcnlEk5TR+/gx4e11L8Cl3EmIJsdChmvwTJAB+gIsNtTA3Cm4cQtSahxnQoKGTc
aBwKVCP2k2gwNMA9BQli1YNun6fwHG/ZATzWERuzHdNMwy9Qk7Aa6Ay7cHQcvJ0t
/zwyLSoJ7cwLg8JQPOByZjq4x5JtIpzjP9ah+9qKT/B5VYrHEPEqOew91/lZEK7H
hTINQjCqu074S/viQDszgIypo50SxcdAv4G1QKHAqb/IReocIg==
=XHqC
-----END PGP SIGNATURE-----
#1138844#26
Date:
2026-06-11 20:47:15 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138844@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 05 Jun 2026 11:00:14 +0200
Source: neutron
Architecture: source
Version: 2:26.0.3-0+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135272 1138844
Changes:
 neutron (2:26.0.3-0+deb13u2) trixie-security; urgency=medium
 .
   * New upstream point release.
   * Removed patches applied upstream:
     - Add_state_reporting_back_to_metadata_agents.patch
     - Fix_LoopingCallBase_argument_issue.patch
   * Add start-time=%t in neutron-api-uwsgi.ini.
   * Add haproxy as runtime depends of neutron-ovn-agent. Thanks to Sakirnth
     Nagarasa for the report (Closes: #1135272).
   * CVE-2026-50266 / OSSA-2026-021: Neutron port RBAC policy bypass allows
     project managers to set trusted device owners on shared networks. Added
     upstream patch: Fix port RBAC policies to require network ownership
     (Closes: #1138844).
Checksums-Sha1:
 07942b56d312f39f43dc72b334042f0f6bcdd3b4 5086 neutron_26.0.3-0+deb13u2.dsc
 153a29dc30b55187ea6bb052e94cb48d012dc500 10241136 neutron_26.0.3.orig.tar.xz
 053543953d67b6774104fa0a98496994369ceea0 47164 neutron_26.0.3-0+deb13u2.debian.tar.xz
 406b88ce61cdaca46373745f1a008a848202e1d4 23146 neutron_26.0.3-0+deb13u2_amd64.buildinfo
Checksums-Sha256:
 dec5eea268039fd604d47036d14cb84f8014d26ff71a29503791679b296a9ad2 5086 neutron_26.0.3-0+deb13u2.dsc
 611e8b2e2aab1f6585bd426bcb91b94c3f88215d2913aa1158f6a604d448c1be 10241136 neutron_26.0.3.orig.tar.xz
 767089c90a06b06b2fa22b32895236a1ef0926343983d8d038d0527e899e2fbb 47164 neutron_26.0.3-0+deb13u2.debian.tar.xz
 7de63a7d206fa1259cd49ad6ac799354c00914c03e7a921891f896408e94c4be 23146 neutron_26.0.3-0+deb13u2_amd64.buildinfo
Files:
 323dfc5e716b4eebb614f0640d771ad0 5086 net optional neutron_26.0.3-0+deb13u2.dsc
 605a4f7f503a30e367b766d6a903f853 10241136 net optional neutron_26.0.3.orig.tar.xz
 7eae47cec7cc4f63ef5664d91ba2eb38 47164 net optional neutron_26.0.3-0+deb13u2.debian.tar.xz
 e2019df24eaff587ca246ab53c7381d9 23146 net optional neutron_26.0.3-0+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmopEbEACgkQ1BatFaxr
Q/5meQ/+O9QVuuLdXXmBYFQskN4YqKTRr8Qlybz5EaIg96ZiIY6tezlPKKn54nW3
xrQ5m0WpG/A/FavCE4CTRZnL19Rnh9z38z4WisCasIOt1XPfRH+9gy06o8kMdVKy
3yCl84riK3kqKamJUwumHhLellyJA6qzqt4BbAgQkQBgWj5liw3AlWYl+iHbZZbg
AqnPcY9houwAocdWS5G/H3VkbTNIN61yi9n7KaKlwJe/vjRjZ21UzdSmkEXX3dqM
+Eh+YIZVFhgpTp4BKuizXH0XVOTYeqABYjmIcm/Xfh71Io4KP5JfLt96u5NbrBGa
7wB5EinCT6facN6ayRWdsIWfOtuwObme7fDS0QDKSwmmT0emmo+R49d+tj9co6o1
23YQwzR7pYqhq0jotw+PbX4PsVPhIRaAnxaRoAsqHNv/L5v3QL8r0D5SPxyBYjFH
4R92IpKOEru0uoSbGr2nD3oqzqZDeI6bltZQLvkWYuZQlp8eBtWCS0vNsVqUXg1M
jYL61ub4LrXxQViOpL1186xWNGDX6FKrGFPLEi8ajuMdppWLxigw48puwIkcLdm9
zkiManztCieWmv356e4+2XTm5zRePk0v6l0h5yS14e54JyfKPrfKaYbzKpxC8eFb
YXSVFolg4WW2ijrD4wP79KGzuZd7RmUXPkprbQzO3PwHMZSnKSM=
=WRUy
-----END PGP SIGNATURE-----
#1138844#46
Date:
2026-06-15 16:03:27 UTC
From:
To:
Hola,

Parece que agregaste una dirección de correo electrónico como alias de la cuenta Microsoft.

- 1138844@bugs.debian.org agregado

NOTA: si aún no has iniciado sesión en esta cuenta, tendrás que iniciar sesión con una dirección de correo electrónico que ya se ha comprobado.

Si agregaste esta dirección como alias, usa este vínculo para verificarla:
https://account.live.com/Aliases/Verify?aliasname=1138844%40bugs.debian.org&aliastype=Email&otc=*Drd4yF0vQB2Fu1hiNnl1y!O*DdO80*8zqdwm7wPXllvMD2v39hNBiJ6IhXz2dpiYb41KG6PrQiZrevnYDpVizd0%24&mn=ctmartinez5%40outlook.com&cxt=ALS

Si no enviaste esta solicitud, usa este vínculo para cancelarla:
https://account.live.com/Aliases/Remove?aliasname=1138844%40bugs.debian.org&aliastype=Email&otc=*Drd4yF0vQB2Fu1hiNnl1y!O*DdO80*8zqdwm7wPXllvMD2v39hNBiJ6IhXz2dpiYb41KG6PrQiZrevnYDpVizd0%24&mn=ctmartinez5%40outlook.com&cxt=ALS

Gracias,
El equipo de cuentas Microsoft
Declaración de privacidad: https://go.microsoft.com/fwlink/?LinkId=521839
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
#1138844#51
Date:
2026-06-15 16:08:09 UTC
From:
To:
CVE-2026-3011

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              e1cdc49846c1    stable/15-n283888
releng/15.1/                            796579bcfbc4  releng/15.1-n283557
releng/15.0/                            6e51dfc401e7  releng/15.0-n281059
stable/14/                              e417948e6139    stable/14-n274317
releng/14.4/                            547fc2a98a24  releng/14.4-n273721
releng/14.3/                            744f62ccbf82  releng/14.3-n271521
#1138844#56
Date:
2026-06-15 16:09:06 UTC
From:
To:
Hi,

It looks like you added an email address as a Microsoft account alias.

- 1138844@bugs.debian.org Added

NOTE: If you're not already logged in to this account, you will need to log in using an email address that has already been verified.

If you added this email address as an alias, use this link to verify:
https://account.live.com/Aliases/Verify?aliasname=1138844%40bugs.debian.org&aliastype=Email&otc=*Dud!fNmuee5RlWIPjj5YPNunuY*iZbHYWq90TUyyEZqji*cRAwjR5U712a!mMRyMfT6HiADKGOFTvWpsh9Dtl1U%24&mn=ctmartinez5%40outlook.com&cxt=Default

If you didn't make this request, use this link to cancel:
https://account.live.com/Aliases/Remove?aliasname=1138844%40bugs.debian.org&aliastype=Email&otc=*Dud!fNmuee5RlWIPjj5YPNunuY*iZbHYWq90TUyyEZqji*cRAwjR5U712a!mMRyMfT6HiADKGOFTvWpsh9Dtl1U%24&mn=ctmartinez5%40outlook.com&cxt=Default

Thanks,
The Microsoft account team
Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052