Comment 4 for bug 1651679

Based on the description, it sounds like an unauthenticated actor can (through some manner of social engineering) compel an authenticated user to generate load on the server, but by design any authenticated malicious user could do this anyway even without the described bug?

If that's the case, pretty borderline but I'd lean toward this being either class C1 (an impractical vulnerability) or D (security hardening opportunity). https://security.openstack.org/vmt-process.html#incident-report-taxonomy I'm also subscribing the security note reviewers for input.