{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50221", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-06-04T04:51:16.073Z", "datePublished": "2026-06-23T17:03:32.971Z", "dateUpdated": "2026-06-23T17:38:26.623Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Swift", "repo": "https://opendev.org/openstack/swift", "vendor": "OpenStack", "versions": [{"lessThan": "2.35.3", "status": "affected", "version": "2.0.0", "versionType": "semver"}, {"lessThan": "2.36.2", "status": "affected", "version": "2.36.0", "versionType": "semver"}, {"lessThan": "2.37.2", "status": "affected", "version": "2.37.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery. The SSRF requests expose internal cluster metadata including storage policy indexes, partition mappings, device names, and when at rest encryption is enabled, cipher text and initialization vectors for the container-level encryption key. The attacker can also cause \"ghost listings\" in arbitrary containers via the shard-range redirect mechanism."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-23T17:03:32.971Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://launchpad.net/bugs/2150261"}, {"url": "https://www.openwall.com/lists/oss-security/2026/06/23/5"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-024.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.35.3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.36.0", "versionEndExcluding": "2.36.2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.37.0", "versionEndExcluding": "2.37.2"}]}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/23/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-23T17:35:50.922Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T17:38:21.427291Z", "id": "CVE-2026-50221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T17:38:26.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/23/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-23T17:35:50.922Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-50221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T17:38:21.427291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T17:38:23.631Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://opendev.org/openstack/swift", "vendor": "OpenStack", "product": "Swift", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.35.3", "versionType": "semver"}, {"status": "affected", "version": "2.36.0", "lessThan": "2.36.2", "versionType": "semver"}, {"status": "affected", "version": "2.37.0", "lessThan": "2.37.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://launchpad.net/bugs/2150261", "tags": ["issue-tracking"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/06/23/5"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-024.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery. The SSRF requests expose internal cluster metadata including storage policy indexes, partition mappings, device names, and when at rest encryption is enabled, cipher text and initialization vectors for the container-level encryption key. The attacker can also cause \"ghost listings\" in arbitrary containers via the shard-range redirect mechanism."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.35.3", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.36.2", "versionStartIncluding": "2.36.0"}, {"criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.37.2", "versionStartIncluding": "2.37.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-23T17:03:32.971Z"}}}, "cveMetadata": {"cveId": "CVE-2026-50221", "state": "PUBLISHED", "dateUpdated": "2026-06-23T17:38:26.623Z", "dateReserved": "2026-06-04T04:51:16.073Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-06-23T17:03:32.971Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "openstack-swift: OpenStack Swift: SSRF via internal update header injection in proxy-server", "id": "2491876", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491876"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in OpenStack Swift's proxy-server. Internal container update routing headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) are not stripped from client requests before being forwarded to object-servers. An authenticated user with write access can inject these headers to redirect internal container update requests to an attacker-controlled server, resulting in server-side request forgery. This can lead to disclosure of internal cluster metadata and, when at-rest encryption is enabled, exposure of encrypted container-level key material. Additionally, the attacker can create unauthorized listings in arbitrary containers via the shard-range redirect mechanism."], "mitigation": {"lang": "en:us", "value": "There is no mitigation for this flaw. The only resolution is to upgrade OpenStack Swift to a patched version: 2.35.3 (for the 2.0.0+ series), 2.36.2 (for the 2.36.x series), or 2.37.2 (for the 2.37.x series). The risk is partially limited because exploitation requires an authenticated user with write access to at least one Swift container."}, "name": "CVE-2026-50221", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rhosp13/openstack-swift-account", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rhosp13/openstack-swift-base", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rhosp13/openstack-swift-container", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rhosp13/openstack-swift-object", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rhosp13/openstack-swift-proxy-server", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "openstack-swift", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "rhosp-rhel8/openstack-swift-account", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "rhosp-rhel8/openstack-swift-base", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "rhosp-rhel8/openstack-swift-container", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "rhosp-rhel8/openstack-swift-object", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "rhosp-rhel8/openstack-swift-proxy-server", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "openstack-swift", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "rhosp-rhel9/openstack-swift-account", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "rhosp-rhel9/openstack-swift-base", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "rhosp-rhel9/openstack-swift-container", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "rhosp-rhel9/openstack-swift-object", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "rhosp-rhel9/openstack-swift-proxy-server", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "openstack-swift", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "rhoso/openstack-swift-account-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "rhoso/openstack-swift-base-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "rhoso/openstack-swift-container-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "rhoso/openstack-swift-object-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "rhoso/openstack-swift-proxy-server-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/bootc-automation-portal-rhel9", "product_name": "Self-service automation portal 2"}], "public_date": "2026-06-23T17:03:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-50221\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-50221\nhttps://launchpad.net/bugs/2150261\nhttps://security.openstack.org/ossa/OSSA-2026-024.html\nhttps://www.openwall.com/lists/oss-security/2026/06/23/5"], "statement": "Red Hat OpenStack Platform 13, 16.2, 17.1, and Red Hat OpenStack Services on OpenShift 18.0 ship OpenStack Swift proxy-server in affected versions and are vulnerable to this flaw. This vulnerability is rated as Moderate severity because exploitation requires an authenticated user with write access to at least one Swift container. The SSRF allows redirection of container update requests to attacker-controlled servers, exposing internal cluster metadata. When at-rest encryption is enabled, cipher text and initialization vectors for the container-level encryption key are also exposed, though the encryption key itself is not directly disclosed. The attack is network-accessible but requires valid credentials and write permissions, limiting the attacker population to existing tenants within the deployment.", "threat_severity": "Moderate"}