Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3f951397-fbcc-44c5-b733-01a686a7df32@gmail.com>
Date: Tue, 5 May 2026 08:01:06 -0700
From: Goutham Pacha Ravi <gouthampravi@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2026-009] Horizon: Unauthenticated session flood via login
 redirect storage (CVE-2026-43002)

=========================================================================
OSSA-2026-009: Unauthenticated session flood via login redirect storage
=========================================================================

:Date: April 27, 2026
:CVE: CVE-2026-43002


Affects
~~~~~~~
- Horizon: >=25.6.0 <25.7.3


Description
~~~~~~~~~~~
Erichen (Institute of Computing Technology, Chinese Academy of
Sciences) reported a denial of service vulnerability in Horizon.
The login view stores a post-login redirect URL in the server-side
session before the user authenticates. Because each unauthenticated
request without a session cookie triggers a new persistent session
entry, an attacker can exhaust the session storage backend
(Memcached, Redis, or database) by sending repeated requests to
``/auth/login/?next=URL``. When the backend reaches capacity, legitimate
sessions are evicted, logging out administrators and preventing them
from accessing the dashboard. This is a regression of CVE-2014-8124.
Deployments running Horizon from the 2026.1 (Gazpacho) release
series with default session configuration are affected. Earlier
release series do not contain the vulnerable code.


Patches
~~~~~~~
- https://review.opendev.org/c/openstack/horizon/+/986834 (2026.1/gazpacho)


Credits
~~~~~~~
- Erichen from Institute of Computing Technology, Chinese Academy of 
Sciences (CVE-2026-43002)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2150331
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43002


Notes
~~~~~
- This vulnerability was introduced in commit 3e2ff4e06 (Horizon
   25.6.0) and only affects the 2026.1 (Gazpacho) release series.
   Earlier releases are not affected.
- This is a regression of CVE-2014-8124. The original middleware-level
   fix remains effective, but the new view-layer session write bypasses
   it.

--
Goutham Pacha Ravi (gouthamr)
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Download attachment "OpenPGP_0x0638DAD3B82C3988.asc" of type "application/pgp-keys" (3241 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.