Direct Request ('Forced Browsing') Affecting neutron package, versions [26.0.0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.3% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-NEUTRON-17675122
  • published29 Jun 2026
  • disclosed28 May 2026
  • creditUnknown

Introduced: 28 May 2026

CVE-2026-49299  (opens in a new tab)
CWE-425  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API.

Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') due to a mismatch in policy enforcement for single-tag write operations. An attacker can modify resource metadata without proper authorization by exploiting the ability to create and update tags on resources within the same project.

CVSS Base Scores

version 4.0
version 3.1