MEDIUM 5.3

GHSA-vxvf-xvm3-p8j5

OpenStack Horizon has Incorrect Behavior Order

Details

An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / horizon

Introduced in: 25.6 Fixed in: 25.7.3

Fix pip install --upgrade 'horizon>=25.7.3'

References

https://nvd.nist.gov/vuln/detail/CVE-2026-43002 [ADVISORY]
https://bugs.launchpad.net/horizon/+bug/2150331 [WEB]
https://github.com/openstack/horizon [PACKAGE]
https://security.openstack.org/ossa/OSSA-2026-009.html [WEB]
https://www.openwall.com/lists/oss-security/2026/05/05/7 [WEB]