The Big Picture

The community came fully back to life this week after the holiday break, and security led the news: a keystonemiddleware privilege-escalation CVE landed mid-week, complete with a same-day errata correcting the affected version range. Alongside it, the machinery of the next release cycle started turning — Thierry Carrez posted the proposed schedule for 2026.2 "Hibiscus" — while the Foundation laid out its strategic plans for the year. There were no large flame-war threads; instead the week was a broad spread of operator questions (RabbitMQ versions, Galera backups, OVN BGP, Cinder migration speed) and forward-looking coordination from the TC and OpenInfra staff.

Security

Privilege escalation in keystonemiddleware (OSSA-2026-001 / CVE-2026-22797). Jeremy Stanley announced a vulnerability reported by Grzegorz Grasza (Red Hat) in the external_oauth2_token middleware. The middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens, so an authenticated attacker can send forged identity headers — X-Is-Admin-Project, X-Roles, X-User-Id — to escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. The fix adds a remove_auth_headers() call at the start of request processing, matching the behavior of the main auth_token middleware. Patches are posted for caracal, dalmatian, epoxy, flamingo, and gazpacho (2026.1).

Note the errata issued the next day: the original advisory listed >=10.0.0 as affected based on incorrect data, but the vulnerable code wasn't added until keystonemiddleware 10.5.0 (during the 2024.1/Caracal cycle). The corrected affected ranges are >=10.5.0 <10.7.2, >=10.8.0 <10.9.1, and >=10.10.0 <10.12.1. If you run external OAuth2 token auth, this is your action item for the week.

Releases & Announcements

2026.2 "Hibiscus" schedule proposed. Thierry Carrez posted the draft schedule for the next cycle — a 26-week cycle placing final release on September 30, 2026 — and asked for objections via the Gerrit review. Separately, the TC's weekly meeting returned on January 13 after a four-week holiday hiatus (Goutham Pacha Ravi chairing), marking the community's return to its normal cadence at the 2026.1/R-11 milestone.

Development & Technical Decisions

RabbitMQ on EL is a live operator question. Francesco Di Nucci, upgrading from Caracal to Epoxy on EL with RDO packages, flagged that the CentOS Stream Messaging SIG still ships RabbitMQ 3.8 — which is EOL — and asked whether to move to 3.13 or the 4.x series. This is a concrete, unresolved pain point for RDO-based operators worth watching.

Operator troubleshooting filled the list. Among the more substantive threads: Karl-Heinz Preuß found Cinder volume migration capped around 100 MB/s because migration explicitly disables multipathing (multipath=false in the logs) when migrating off an HPE Nimble backend toward Ceph; an OVN BGP agent user (nb_ovn_bgp_driver, underlay exposing) hit NetlinkError: Network is down because OVS bridges appear down to ip link and the route-table setup fails, with no reboot-persistent workaround yet; and a keshav bareja asked how to back up Galera now that OSA Epoxy moved to MariaDB 11.4.8 and the old mysqldump --all-databases no longer works (proposing mariadb-dump with --single-transaction). A Nova resize bug with mismatched swap/no-swap flavor combos for image-backed instances was filed as Launchpad bug 2138418.

Community & Events

This was a heavy week for strategy and direction. Jeremy Stanley opened "Taking OpenStack to the Next Level in 2026," sharing the Foundation staff's chosen goal — "Elevate OpenInfra projects to their next level" — translated for OpenStack into lowering barriers to participation, increasing reviewer bandwidth and efficiency, and simplifying the user survey. He explicitly framed it as better use of staff time, not new work for maintainers, and asked for community feedback ahead of a board presentation.

Complementing that, Allison Price shared the 2026 marketing priorities: positioning OpenStack as the open-source infrastructure standard for AI workloads (the primary focus, with a stated interest in hardware-diversification efforts), digital sovereignty as a global growth driver, and VMware migration as continued momentum. Kendall Nelson separately kicked off a dedicated digital-sovereignty effort, with a first meeting January 20 at 07:00 UTC to set goals for the year.

On metrics, Ildiko Vancsa continued working through Jay Faulkner's feedback on the new LFX Insights dashboards. Faulkner's core concern: the new dashboards feel "anemic" versus the old Bitergia/Stackalytics ones — he can't find individual Gerrit reviewer stats (review types, frequency, reviewer comparison), contribution data beyond the top-5 companies, or per-project (not per-repo) filtering. Vancsa walked through several existing controls and flagged the reviewer-stats use case as something that may need a new GitHub issue against LFX Insights. This matters because the Bitergia dashboard is being retired and several reviewer-evaluation workflows depend on it.

Routine scheduling rounded out the week: the Cinder Festival of Reviews ran Friday, January 16; the first 2026 Ops Radio Hour is set for January 23 at 13:00 UTC (agenda includes 2026 plans and a survey draft); the Public Cloud SIG met January 14; and Tacker cancelled its weekly meeting for a Japanese holiday.