VDB
KO
CRITICAL 9.1

PYSEC-2026-433

OpenStack Octavia Amphora-Agent not requiring Client-Certificate

Details

Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the `cmd/agent.py` gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / octavia
Introduced in: 0.10.0 Fixed in: 2.1.2
Fix pip install --upgrade 'octavia>=2.1.2'

References