CVE-2026-43002 Overview
CVE-2026-43002 affects OpenStack Horizon versions 25.6 and 25.7 prior to 25.7.3. The dashboard writes data to the session storage backend before authentication occurs. Unauthenticated attackers can issue repeated requests to exhaust session storage capacity. This represents a regression of the earlier fix for CVE-2014-8124, reintroducing a previously resolved resource exhaustion condition. The flaw is classified under CWE-696 (Incorrect Behavior Order) and impacts the availability of the Horizon dashboard service.
Critical Impact
Unauthenticated network attackers can exhaust the session storage backend, leading to denial of service for the OpenStack Horizon dashboard.
Affected Products
- OpenStack Horizon 25.6 (all releases)
- OpenStack Horizon 25.7 prior to 25.7.3
- Deployments using session storage backends shared with the Horizon dashboard
Discovery Timeline
- 2026-05-05 - CVE-2026-43002 published to NVD
- 2026-05-05 - OpenStack Security Advisory OSSA-2026-009 released
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43002
Vulnerability Analysis
OpenStack Horizon is the canonical web dashboard for managing OpenStack services. The vulnerability stems from an ordering defect in the request handling pipeline. Horizon writes to its session storage backend before completing authentication checks on incoming requests. This means any unauthenticated client can cause new session entries to be persisted simply by issuing HTTP requests.
The root issue falls under [CWE-696] (Incorrect Behavior Order). Session creation and persistence should occur only after a request has been authenticated or has otherwise demonstrated legitimacy. By inverting this order, Horizon allows external traffic to drive backend storage growth without rate limiting or attribution.
This is a regression of CVE-2014-8124, which addressed the same class of pre-authentication session writes. Code changes between Horizon 25.5 and 25.6 reintroduced the unsafe ordering. The fix landed in Horizon 25.7.3.
Root Cause
The defect is located in Horizon's middleware layer where session objects are instantiated and committed to the configured backend (memcached, database, or file storage) prior to authentication enforcement. Each unauthenticated request triggers a write, and the absence of pre-auth throttling allows attackers to amplify storage consumption with minimal effort. See the Launchpad bug report for the upstream discussion.
Attack Vector
An attacker sends a high volume of unauthenticated HTTP requests to a publicly reachable Horizon endpoint. Each request causes a session record to be written to the backend. Sustained traffic exhausts available storage, evicts legitimate sessions, or degrades the underlying datastore. The attack requires no credentials, no user interaction, and only network reachability to the Horizon dashboard. Refer to the Openwall OSS-Security discussion for additional context.
Detection Methods for CVE-2026-43002
Indicators of Compromise
- Rapid growth in session storage backend size (memcached memory pressure, database table growth, or session file count) without a corresponding increase in authenticated user activity.
- High volume of HTTP requests to Horizon endpoints originating from a small set of source IP addresses with no successful authentication events.
- Eviction of legitimate user sessions or unexpected session lookup failures in Horizon logs.
Detection Strategies
- Correlate web server access logs with Horizon authentication logs to identify request volumes that lack matching authentication attempts.
- Monitor session backend metrics (memcached curr_items, database row counts, or filesystem inode usage) for anomalous rate-of-change.
- Alert on sustained 4xx responses to Horizon login pages paired with elevated session creation counts.
Monitoring Recommendations
- Instrument the session backend with capacity thresholds and trigger alerts at 70% and 90% utilization.
- Forward Horizon application logs and reverse proxy logs to a centralized analytics platform for correlation.
- Track per-source-IP request rates to Horizon and rate-limit or block sources exceeding baseline thresholds.
How to Mitigate CVE-2026-43002
Immediate Actions Required
- Upgrade OpenStack Horizon to version 25.7.3 or later, which contains the corrected request ordering.
- Place Horizon behind a reverse proxy or web application firewall configured to rate-limit unauthenticated traffic.
- Restrict network access to the Horizon dashboard so it is not reachable from untrusted networks where operationally feasible.
Patch Information
The upstream fix is included in OpenStack Horizon 25.7.3. Operators running 25.6.x or 25.7.x prior to 25.7.3 should apply the patched release published in OSSA-2026-009. Distribution packagers may backport the fix to earlier supported branches; verify the version shipped by your Linux distribution before considering the system patched.
Workarounds
- Enforce strict rate limiting on Horizon endpoints at the load balancer or reverse proxy layer to cap unauthenticated request rates.
- Provision the session storage backend with sufficient capacity and aggressive eviction policies to limit the impact of exhaustion attempts.
- Restrict Horizon dashboard exposure using IP allow-listing, VPN access, or network segmentation until the patched version is deployed.
# Example nginx rate limit for unauthenticated Horizon traffic
# Place in the http {} block
limit_req_zone $binary_remote_addr zone=horizon_anon:10m rate=10r/s;
# In the Horizon server {} block
location / {
limit_req zone=horizon_anon burst=20 nodelay;
proxy_pass http://horizon_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
