Comment 4 for bug 1213241

Even just from the perspective of separating operational roles, this means that someone who may already have authorization to write to the glance DB (for example to perform database maintenance) can in turn take direct control of any glance server. So yes, I would consider this a vulnerability worthy of an official announcement.