Several security issues were fixed in Cyborg.
Software Description:
- cyborg: OpenStack Acceleration as a Service
Details:
It was discovered that Cyborg did not properly enforce project ownership in
the Accelerator Request (ARQ) API. An authenticated user could possibly use
this issue to delete ARQs bound to other projects' instances, resulting in
a cross-tenant denial of service. (CVE-2026-40214)
It was discovered that Cyborg used a permissive default policy that
authorized any request carrying a valid authentication token, regardless of
roles or scope, for multiple API endpoints. An authenticated user could
possibly use this issue to perform unauthorized actions, such as
reprogramming FPGA bitstreams on arbitrary compute nodes. (CVE-2026-40213)
The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS cyborg-agent 16.0.0-2ubuntu0.1 cyborg-api 16.0.0-2ubuntu0.1 cyborg-common 16.0.0-2ubuntu0.1 cyborg-conductor 16.0.0-2ubuntu0.1 python3-cyborg 16.0.0-2ubuntu0.1 Ubuntu 25.10 cyborg-agent 14.0.0-3+deb13u1build0.25.10.1 cyborg-api 14.0.0-3+deb13u1build0.25.10.1 cyborg-common 14.0.0-3+deb13u1build0.25.10.1 cyborg-conductor 14.0.0-3+deb13u1build0.25.10.1 python3-cyborg 14.0.0-3+deb13u1build0.25.10.1 In general, a standard system update will make all the necessary changes.
https://ubuntu.com/security/notices/USN-8413-1
CVE-2026-40213, CVE-2026-40214
Get the latest Linux and open source security news straight to your inbox.