{"id":"PYSEC-2026-433","summary":"OpenStack Octavia Amphora-Agent not requiring Client-Certificate","details":"Amphora Images in OpenStack Octavia \u003e=0.10.0 \u003c2.1.2, \u003e=3.0.0 \u003c3.2.0, \u003e=4.0.0 \u003c4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the `cmd/agent.py` gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.","aliases":["CVE-2019-17134","GHSA-r4v4-3jj7-jc29"],"modified":"2026-07-02T13:00:04.969634207Z","published":"2026-06-29T11:50:32.761316Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17134"},{"type":"WEB","url":"https://github.com/openstack/octavia/commit/1725517d1d209f26b2275306d83e49c099dcbe1a"},{"type":"WEB","url":"https://github.com/openstack/octavia/commit/2976a7f0f109e17930db8a61136526ead44ea7e5"},{"type":"WEB","url":"https://github.com/openstack/octavia/commit/624ff08f27bcb73788663cbe6d35cbe29c537844"},{"type":"WEB","url":"https://github.com/openstack/octavia/commit/89a2f6e0136ad49d928eb65b4cf555af2a2b8ab1"},{"type":"WEB","url":"https://github.com/openstack/octavia/commit/b0c2cd7b4c835c391cfedf12cf9f9ff8a0aabd17"},{"type":"WEB","url":"https://github.com/openstack/octavia/commit/c2fdffc3b748f8007c72e52df257e38756923b40"},{"type":"PACKAGE","url":"https://github.com/openstack/octavia"},{"type":"WEB","url":"https://review.opendev.org/686541"},{"type":"WEB","url":"https://review.opendev.org/686543"},{"type":"WEB","url":"https://review.opendev.org/686544"},{"type":"WEB","url":"https://review.opendev.org/686545"},{"type":"WEB","url":"https://review.opendev.org/686546"},{"type":"WEB","url":"https://review.opendev.org/686547"},{"type":"WEB","url":"https://security.openstack.org/ossa/OSSA-2019-005.html"},{"type":"WEB","url":"https://storyboard.openstack.org/#!/story/2006660"},{"type":"PACKAGE","url":"https://pypi.org/project/octavia"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-r4v4-3jj7-jc29"}],"affected":[{"package":{"name":"octavia","ecosystem":"PyPI","purl":"pkg:pypi/octavia"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.10.0"},{"fixed":"2.1.2"},{"introduced":"3.0.0"},{"fixed":"3.2.0"},{"introduced":"4.0.0"},{"fixed":"4.1.0"}]}],"versions":["0.10.0","1.0.0","1.0.0.0b1","1.0.0.0b2","1.0.0.0b3","1.0.0.0rc1","1.0.0.0rc2","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","2.0.0","2.0.0.0b1","2.0.0.0b2","2.0.0.0b3","2.0.0.0rc1","2.0.0.0rc2","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0","2.1.1","3.0.0","3.0.1","3.0.2","3.1.0","3.1.1","4.0.0","4.0.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/octavia/PYSEC-2026-433.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}