YAOOK Security Advisory CVE-2026-49299, CVE-2026-50266
- Date: 10 June 2026
- Upstream advisory: https://security.openstack.org/ossa/OSSA-2026-016.html and https://security.openstack.org/ossa/OSSA-2026-021.html
What are CVE-2026-49299 and CVE-2026-50266, and how do they affect YAOOK?
These CVEs in OpenStack Neutron allow policies for ports or tagging to be bypassed.
CVE-2026-49299 is a policy enforcement bypass in Neutron’s tagging controller.
CVE-2026-50266 is a policy enforcement bypass in Neutron’s default port RBAC rules.
Is my cluster vulnerable?
The following images are vulnerable:
- neutron images prior to version 1.0.191
- yaook release prior to 2.3.1
If this image is used in your cluster for the neutron-api deployment, the cluster is vulnerable.
Upgrading
A new stable release will be published according to the release cycle and hotfix releases will be produced starting now. You can upgrade to that release simply by updating your operators.
However, we recommend adding a YAOOK_OP_VERSIONS_OVERRIDE Add a variable to your Neutron operator container to fetch the image before the YAOOK comprehensive release is ready.
The best way to do this is to set the following in the values.yaml of your keystone-operator (make sure to merge this correctly with an existing values.yaml, if you have that).
operator:
extraEnv:
- name: YAOOK_OP_VERSIONS_OVERRIDE
value: |
{
"registry.yaook.cloud/yaook/neutron-2023.2": "registry.yaook.cloud/yaook/neutron-2023.2:1.0.191",
"registry.yaook.cloud/yaook/neutron-2024.1": "registry.yaook.cloud/yaook/neutron-2024.1:1.0.191",
"registry.yaook.cloud/yaook/neutron-2024.2": "registry.yaook.cloud/yaook/neutron-2024.2:1.0.191",
"registry.yaook.cloud/yaook/neutron-2025.1": "registry.yaook.cloud/yaook/neutron-2025.1:1.0.191",
"registry.yaook.cloud/yaook/neutron-2025.2": "registry.yaook.cloud/yaook/neutron-2025.2:1.0.191"
}If you are not using Helm, you can add the environment variable to the
env section of your keystone-operator's Deployment's pod template.