As per upstream announce: https://security.openstack.org/ossa/OSSA-2026-024.html OSSA-2026-024: Swift proxy-server SSRF via header injection Date: June 23, 2026 CVE: CVE-2026-50221 Affects: Swift: >=2.0.0 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2 Description: Tim Shephard from roiai.ca reported a server-side request forgery (SSRF) vulnerability in Swift’s proxy-server. An authenticated user can cause Swift object servers to issue outbound HTTP requests to attacker-specified hosts, potentially exposing internal infrastructure details. All deployments running Swift 2.0.0 or later are affected. Patches https://review.opendev.org/994452 (2025.1/epoxy) https://review.opendev.org/994451 (2025.2/flamingo) https://review.opendev.org/994450 (2026.1/gazpacho) https://review.opendev.org/994449 (2026.2/hibiscus (development)) Credits Tim Shephard from roiai.ca (CVE-2026-50221) References https://launchpad.net/bugs/2150261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50221
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/cc5c8e4281606e290355e2794d486095811b8b4f ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/04887fcdaae7ff64a7e6bb3b53fd8657fb4a7126 ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/26d2c4032246d4d050e0b162881579b9ac416635 ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/b67b96fcccc2102c13bf2147503453bbeadee9e3 ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/7a24aee3c30ec6d35050096c7e10f4a58a644f13 ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/fe8eea95ff64155c40269cec59bf9cd5dfe66033 ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/b0488afd92d7f33d1dd79c19472053f089bf1b9a ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/09612b11455f0015113b1dd44a6d8324993f69cf ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/eee41bedafbd4b1d7cb8345e4daa145ea3557175 ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/3418d429f1a0e836bbb742d55963e7a548e49f4c ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/b681f451460feec0b20d882882b87524808d024a ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
Hello, Bug #1140678 in swift reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/swift/-/commit/914ebed0f24d14076e76184bf5f9517d67297db2 ------------------------------------------------------------------------ * CVE-2026-50221: Swift proxy-server SSRF via internal update header injection: applied upstream patch: Block internal update headers at the gatekeeper (Closes: #1140678). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1140678
We believe that the bug you reported is fixed in the latest version of
swift, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated swift package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 10 Jun 2026 10:31:50 +0200
Source: swift
Architecture: source
Version: 2.37.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1140678
Changes:
swift (2.37.1-5) unstable; urgency=medium
.
* CVE-2026-50221: Swift proxy-server SSRF via internal update header
injection: applied upstream patch: Block internal update headers at the
gatekeeper (Closes: #1140678).
Checksums-Sha1:
b8464e6cea04d4ee515b892ed17deccc621611c9 3159 swift_2.37.1-5.dsc
5a389bad0101eee45c2248d057a857011ae188b6 36096 swift_2.37.1-5.debian.tar.xz
e064c1f6d9ac47e7c8cecee19b210b548e862f60 14449 swift_2.37.1-5_amd64.buildinfo
Checksums-Sha256:
fae06178b6aa3f70e814ed320fc559129f2aeada522ca86729bdd753a3935632 3159 swift_2.37.1-5.dsc
3356d90d58df24cb698caaf277b2609aff186edee6634b4a5fbaf42a4846c295 36096 swift_2.37.1-5.debian.tar.xz
a608d5945b303d08c6b5732beadaeced8819dccb76f49801ecdcfd2190370ce6 14449 swift_2.37.1-5_amd64.buildinfo
Files:
6ca73a0140cc8e5ff34380437e2ca77b 3159 net optional swift_2.37.1-5.dsc
c1cf76e27194d662c0798f92eba6f78f 36096 net optional swift_2.37.1-5.debian.tar.xz
bac956d06a0af2266f49aba33b14224e 14449 net optional swift_2.37.1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmo7310ACgkQ1BatFaxr
Q/5ovQ/+PqGyRB7Hz0kRV+WseYQp6qLyXIHWxvLSHm6RVzu1n3AL/Ww0/O6OTBSz
X1QcTa0FsvRDFPh7ZPfgBgb+a4ZGregFuZdio5upQlU7KSKFFU3mw08wdPR1x8f3
IEAmhG26QkKq9+pevR/TkxtILadFHwtJZLj/6qTaqa3cL9tiN9Q0FJ4UiTUihQV6
Tt8iTI8no61y1sCHT5CViqKt1NRDdjvxAsQIn7G2Pcv5jjX7qI3dDcwGD602OCao
4xsoStKDm221T9fRuZlVn/yRe4AbR/3ITvs8dKHq+e/22cEcuzH97doTurYyfKAi
3qf2ue8eYx1gzGnEmK24ZWUV4Nx7WU0TpdMK3ViqNChmxA9FQ+baO2HkwCR7/m+C
Spq0suTdM/Sy3fXLe8hRers+m/ROTei+U95lEuO+X8Jx3L4cZUGskZ35zHOXMFzK
lwEGj2vhhv5Xrw3o0Xl/G2eVAyHMHSQ05G7MA0OYI1Z35mQwL9uHOfqOmFYKHkw6
nz+NcGNXqLY6xtCq1hlOP0cfCH4uq7+Mwhv6Gz4v1Rt44H5jWRpXrGaquDWQp+uV
Ot3TiMGOMr3J7ykd5fh5DMAX1yP6bsWZQuO7KWwWP3v/7QQ7fEMVSx7YTtX60zwp
dBacIUf9h9G2S9x+ywKiP+Z1kH1Z/lsSJoI1bT6MUWYTl4M00OA=
=kwqw
-----END PGP SIGNATURE-----