Comment 3 for bug 1681465

As Jeremy said, this behavior is the actual design for VNC connections, though there are work in progress to add authentication and encryption, see: https://blueprints.launchpad.net/nova/+spec/websocket-proxy-to-host-security

Nevertheless, this seems to describe an insecure deployment and it should be reported to the deployment framework used, if any. Management network is considered trusted and access should be highly restricted as documented here: https://docs.openstack.org/security-guide/introduction/security-boundaries-and-threats.html#management