Back

Critical Vulnerabilities in Cyborg API Affect Ubuntu Users

Severity: High (Score: 72.0)

Sources: launchpad.net, Ubuntu, Linuxsecurity

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: cyborg, ubuntu, security, issue, project, critical, flaws

Severity indicators: critical, flaw, issue, security issue

Summary

Two critical vulnerabilities were discovered in the Cyborg API affecting Ubuntu 26.04 LTS and 25.10. The first vulnerability (CVE-2026-40214) allows authenticated users to delete Accelerator Requests (ARQs) linked to other projects, leading to cross-tenant denial of service. The second vulnerability (CVE-2026-40213) involves a permissive default policy that permits unauthorized actions, such as reprogramming FPGA bitstreams on compute nodes, for any request with a valid authentication token. These vulnerabilities were published on May 7, 2026, and users are advised to update their systems to mitigate the risks. Ubuntu Pro offers ten-year security coverage for affected packages. Immediate action is recommended to prevent potential exploitation. Key Points: • Two critical vulnerabilities (CVE-2026-40213, CVE-2026-40214) impact Ubuntu 26.04 LTS and 25.10. • CVE-2026-40214 allows deletion of ARQs, risking cross-tenant denial of service. • CVE-2026-40213 permits unauthorized actions via a permissive default policy.

Detailed Analysis

**Impact** Ubuntu 26.04 LTS, Ubuntu 25.10, and their derivatives using the Cyborg OpenStack service are affected. Authenticated users can exploit vulnerabilities to cause cross-tenant denial of service by deleting Accelerator Requests (ARQs) belonging to other projects and perform unauthorized actions such as reprogramming FPGA bitstreams on arbitrary compute nodes. The issues impact multi-tenant cloud environments relying on Cyborg for hardware acceleration management, potentially disrupting services and compromising operational integrity. **Technical Details** Two primary vulnerabilities are identified: CVE-2026-40214, where project ownership enforcement in the ARQ API is bypassed allowing deletion of other projects’ ARQs, and CVE-2026-40213, involving a permissive default policy that authorizes any valid token regardless of role or scope, enabling unauthorized API actions. The attack vector requires valid authentication credentials. No specific malware or IOCs are mentioned. These vulnerabilities affect multiple Cyborg API endpoints and occur at the post-authentication stage of the kill chain. **Recommended Response** Apply the security updates provided in Ubuntu Security Notice USN-8413-1 immediately, upgrading to cyborg-agent, cyborg-api, cyborg-common, cyborg-conductor, and python3-cyborg packages to the specified patched versions for Ubuntu 26.04 LTS and 25.10. Harden API access policies to enforce strict role and scope validation. Monitor for unusual API activity, especially unauthorized ARQ deletions and FPGA reprogramming attempts. No additional IOCs or detection signatures are provided in the sources.

Source articles (4)

  • USN-8413-1: Cyborg vulnerabilities — Ubuntu · 2026-06-09
    It was discovered that Cyborg did not properly enforce project ownership in the Accelerator Request (ARQ) API. An authenticated user could possibly use this issue to delete ARQs bound to other project…
  • Cyborg — launchpad.net · 2026-06-09
    cyborg-agent: OpenStack Acceleration as a Service - processor cyborg-api: OpenStack Acceleration as a Service - API server cyborg-common: OpenStack Acceleration as a Service - common files cyborg-cond…
  • 14.0.0-3+deb13u1build0.25.10.1 — launchpad.net · 2026-06-09
    Cyborg provides a general management framework for accelerators such as FPGA, GPU, SoCs, NVMe SSDs, CCIX caches, DPDK/SPDK, pmem and so forth. It provides a REST API for basic accelerator life cycle m…
  • Ubuntu 26.04 LTS Cyborg Critical API Flaws Denial of Service USN-8413 — Linuxsecurity · 2026-06-09
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 Summary: Several security issues were fixed in Cyborg. Software Description: - cyborg: OpenStac…

Timeline

  • 2026-05-07 — CVE-2026-40213 published: A permissive policy in Cyborg API allows unauthorized actions, affecting multiple endpoints.
  • 2026-05-07 — CVE-2026-40214 published: Improper project ownership enforcement in Cyborg API enables deletion of ARQs across projects.
  • 2026-06-09 — Security notice issued: Ubuntu released a security notice urging users to update their systems to mitigate vulnerabilities.

CVEs

  • CVE-2026-40213
  • CVE-2026-40214

Related entities

  • Denial of Service (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • Cyborg (Platform)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed