Comment 2 for bug 2008705

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

At first blush, I'm leaning toward considering this impractical to exploit for the reasons you cite. If there's no disagreement from Cinder security reviewers, I'm inclined to treat it as class C1 per our taxonomy (that is, switch to public and fix but no need for an advisory, even though someone might still assign a CVE for tracking it out of thoroughness): https://security.openstack.org/vmt-process.html#report-taxonomy