{"id":"PYSEC-2026-862","summary":"OpenStack Compute (Nova) Resource limit circumvention in Nova private flavors","details":"The \"create an instance\" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id.  NOTE: this issue is due to an incomplete fix for CVE-2013-2256.","aliases":["CVE-2013-4278","GHSA-43cm-73px-5v4m"],"modified":"2026-07-07T11:45:19.100930032Z","published":"2026-07-06T08:03:27.046130Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4278"},{"type":"WEB","url":"https://github.com/openstack/nova/commit/4054cc4a22a1fea997dec76afb5646fd6c6ea6b9"},{"type":"WEB","url":"https://github.com/openstack/nova/commit/6825959560e06725d26625fd21f5c0b78b305492"},{"type":"WEB","url":"https://github.com/openstack/nova/commit/8b686195afe7e6dfb46c56c1ef2fe9c993d8e495"},{"type":"WEB","url":"https://bugs.launchpad.net/ossa/+bug/1212179"},{"type":"PACKAGE","url":"https://github.com/openstack/nova"},{"type":"WEB","url":"http://lists.openstack.org/pipermail/openstack-announce/2013-August/000138.html"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2013-1199.html"},{"type":"PACKAGE","url":"https://pypi.org/project/nova"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-43cm-73px-5v4m"}],"affected":[{"package":{"name":"nova","ecosystem":"PyPI","purl":"pkg:pypi/nova"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"12.0.0a0"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nova/PYSEC-2026-862.yaml"}}],"schema_version":"1.7.5"}