Comment 3 for bug 1861893

If default policy restricts the method to global admins as indicated, then I feel like this is probably a class C1 report according to the VMT's taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

"Not considered a practical vulnerability (but some people might assign a CVE for it)"

If there's agreement from some Nova core security reviewers (subscribed), we can continue this discussion as a regular public bug.