OpenStack Cyborg Project Ownership Enforcement Vulnerability in ARQ API Allowing Cross-Tenant Denial-of-Service

A vulnerability exists in the OpenStack Cyborg Accelerator Request (ARQ) API prior to version 16.0.1, where project ownership is not enforced at any level. The 'project_id' field in the database is never populated, leading to a lack of project filtering in database queries. This allows any authenticated non-admin user to delete ARQs associated with instances from other projects, causing a denial-of-service by preventing the affected VM from restarting.

Impact

Exploitation of this vulnerability allows for cross-tenant denial-of-service, as it disrupts the normal operation of virtual machines by preventing them from restarting.

Reproduction

The vulnerability can be reproduced by an authenticated non-admin user who deletes an ARQ bound to an instance in a different project. This can be done through the ARQ API, which lacks proper project ownership checks.

Remediation

Users can update to OpenStack Cyborg versions 16.0.1 or later, or apply the backported patches available for the 2024.2, 2025.1, 2025.2 and 2026.1 branches.