As Jeremy said, this behavior is the actual design for VNC connections, though there are work in progress to add authentication and encryption, see: https://blueprints.launchpad.net/nova/+spec/websocket-proxy-to-host-security
Nevertheless, this seems to describe an insecure deployment and it should be reported to the deployment framework used, if any. Management network is considered trusted and access should be highly restricted as documented here: https://docs.openstack.org/security-guide/introduction/security-boundaries-and-threats.html#management
As Jeremy said, this behavior is the actual design for VNC connections, though there are work in progress to add authentication and encryption, see: https:/ /blueprints. launchpad. net/nova/ +spec/websocket -proxy- to-host- security
Nevertheless, this seems to describe an insecure deployment and it should be reported to the deployment framework used, if any. Management network is considered trusted and access should be highly restricted as documented here: https:/ /docs.openstack .org/security- guide/introduct ion/security- boundaries- and-threats. html#management