Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN456
_____________________________________________________________________

DATE                : 05/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Horizon versions prior to 25.7.3.

=====================================================================
https://security.openstack.org/ossa/OSSA-2026-009.html
_____________________________________________________________________


OSSA-2026-009: Unauthenticated session flood via login redirect
storage

Date:

    April 27, 2026
CVE:

    CVE-2026-43002

Affects

    Horizon: >=25.6.0 <25.7.3

Description

Erichen (Institute of Computing Technology, Chinese Academy of
Sciences) reported a denial of service vulnerability in Horizon.
The login view stores a post-login redirect URL in the
server-side session before the user authenticates. Because each
unauthenticated request without a session cookie triggers a new
persistent session entry, an attacker can exhaust the session
storage backend (Memcached, Redis, or database) by sending
repeated requests to /auth/login/?next=URL. When the backend
reaches capacity, legitimate sessions are evicted, logging out
administrators and preventing them from accessing the dashboard.
This is a regression of CVE-2014-8124. Deployments running
Horizon from the 2026.1 (Gazpacho) release series with default
session configuration are affected. Earlier release series do
not contain the vulnerable code.


Patches

    https://review.opendev.org/c/openstack/horizon/+/986834 (2026.1/gazpacho)


Credits

    Erichen from Institute of Computing Technology, Chinese
Academy of Sciences (CVE-2026-43002)


References

    https://launchpad.net/bugs/2150331

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43002


Notes

    This vulnerability was introduced in commit 3e2ff4e06
(Horizon 25.6.0) and only affects the 2026.1 (Gazpacho) release
series. Earlier releases are not affected.

    This is a regression of CVE-2014-8124. The original
middleware-level fix remains effective, but the new
view-layer session write bypasses it.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================