{"id":"USN-8413-1","summary":"cyborg vulnerabilities","details":"It was discovered that Cyborg did not properly enforce project ownership in\nthe Accelerator Request (ARQ) API. An authenticated user could possibly use\nthis issue to delete ARQs bound to other projects' instances, resulting in\na cross-tenant denial of service. (CVE-2026-40214)\n\nIt was discovered that Cyborg used a permissive default policy that\nauthorized any request carrying a valid authentication token, regardless of\nroles or scope, for multiple API endpoints. An authenticated user could\npossibly use this issue to perform unauthorized actions, such as\nreprogramming FPGA bitstreams on arbitrary compute nodes. (CVE-2026-40213)","modified":"2026-06-09T21:29:23.859315177Z","published":"2026-06-09T16:09:11Z","related":["UBUNTU-CVE-2026-40213","UBUNTU-CVE-2026-40214"],"upstream":["CVE-2026-40213","CVE-2026-40214","UBUNTU-CVE-2026-40213","UBUNTU-CVE-2026-40214"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8413-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40213"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40214"}],"affected":[{"package":{"name":"cyborg","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/cyborg?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"14.0.0-3+deb13u1build0.25.10.1"}]}],"versions":["13.0.0-2","14.0.0-2","14.0.0-3"],"ecosystem_specific":{"binaries":[{"binary_version":"14.0.0-3+deb13u1build0.25.10.1","binary_name":"cyborg-agent"},{"binary_version":"14.0.0-3+deb13u1build0.25.10.1","binary_name":"cyborg-api"},{"binary_version":"14.0.0-3+deb13u1build0.25.10.1","binary_name":"cyborg-common"},{"binary_version":"14.0.0-3+deb13u1build0.25.10.1","binary_name":"cyborg-conductor"},{"binary_version":"14.0.0-3+deb13u1build0.25.10.1","binary_name":"python3-cyborg"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:25.10","cves":[{"id":"CVE-2026-40213","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-40214","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8413-1.json"}},{"package":{"name":"cyborg","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/cyborg?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"16.0.0-2ubuntu0.1"}]}],"versions":["14.0.0-3","15.0.0-1","16.0.0~rc1-2","16.0.0-2"],"ecosystem_specific":{"binaries":[{"binary_version":"16.0.0-2ubuntu0.1","binary_name":"cyborg-agent"},{"binary_version":"16.0.0-2ubuntu0.1","binary_name":"cyborg-api"},{"binary_version":"16.0.0-2ubuntu0.1","binary_name":"cyborg-common"},{"binary_version":"16.0.0-2ubuntu0.1","binary_name":"cyborg-conductor"},{"binary_version":"16.0.0-2ubuntu0.1","binary_name":"python3-cyborg"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:26.04:LTS","cves":[{"id":"CVE-2026-40213","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-40214","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8413-1.json"}}],"schema_version":"1.7.5"}