Comment 6 for bug 1988026

Oh, nice. This even works when supplying valid project IDs of different projects. The result isn't different though then what would happen when the project does their own initial contact with Neutron, so I think there is no additional exploit hidden there.

Note however that in the default configuration, the created security groups will not be empty, but contain four rules (allow outgoing and remote=self for both IPv4 and IPv6), that will slightly increase the resource usage impact.