If default policy restricts the method to global admins as indicated, then I feel like this is probably a class C1 report according to the VMT's taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy
"Not considered a practical vulnerability (but some people might assign a CVE for it)"
If there's agreement from some Nova core security reviewers (subscribed), we can continue this discussion as a regular public bug.
If default policy restricts the method to global admins as indicated, then I feel like this is probably a class C1 report according to the VMT's taxonomy: https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy
"Not considered a practical vulnerability (but some people might assign a CVE for it)"
If there's agreement from some Nova core security reviewers (subscribed), we can continue this discussion as a regular public bug.