Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-33551 (GCVE-0-2026-33551)
Vulnerability from cvelistv5 – Published: 2026-04-10 00:00 – Updated: 2026-04-10 13:50- CWE-863 - Incorrect Authorization
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-10T03:07:01.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33551",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T13:50:09.231560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T13:50:43.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://bugs.launchpad.net/keystone/+bug/2142138"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Keystone",
"vendor": "OpenStack",
"versions": [
{
"lessThan": "26.1.1",
"status": "affected",
"version": "14.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "27.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "28.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "29.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.1.1",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
"versionEndIncluding": "27.0.0",
"versionStartIncluding": "27.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
"versionEndIncluding": "28.0.0",
"versionStartIncluding": "28.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
"versionEndIncluding": "29.0.0",
"versionStartIncluding": "29.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T02:02:56.184Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.launchpad.net/keystone/+bug/2142138"
},
{
"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-33551",
"datePublished": "2026-04-10T00:00:00.000Z",
"dateReserved": "2026-03-22T00:00:00.000Z",
"dateUpdated": "2026-04-10T13:50:43.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33551",
"date": "2026-07-15",
"epss": "0.0022",
"percentile": "0.12402"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33551\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2026-04-10T03:16:02.723\",\"lastModified\":\"2026-06-17T10:37:41.700\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.\"}],\"affected\":[{\"source\":\"cve@mitre.org\",\"affectedData\":[{\"vendor\":\"OpenStack\",\"product\":\"Keystone\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"14.0.0\",\"lessThan\":\"26.1.1\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"27.0.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"28.0.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"29.0.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-04-10T13:50:09.231560Z\",\"id\":\"CVE-2026-33551\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.0.0\",\"versionEndExcluding\":\"26.1.1\",\"matchCriteriaId\":\"57F78A4F-A6DA-4D10-B3D0-AEC6312D7485\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:keystone:27.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"27FFA65D-9F97-4090-A2DE-7BCECA752693\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:keystone:28.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D194CC0-B80F-41B6-81D3-19D2A25E2B91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:keystone:29.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1701DAA0-0A2D-45AB-BF8F-EE2DA7AEF689\"}]}]}],\"references\":[{\"url\":\"https://bugs.launchpad.net/keystone/+bug/2142138\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://security.openstack.org/ossa/OSSA-2026-005.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/04/07/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.launchpad.net/keystone/+bug/2142138\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Low",
"current_release_date": "2026-07-15T12:50:05+00:00",
"cve": "CVE-2026-33551",
"id": "CVE-2026-33551",
"initial_release_date": "2026-04-07T15:00:00+00:00",
"product_status:fixed": "6",
"product_status:known_affected": "6",
"product_status:known_not_affected": "11",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33551.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/04/07/12\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-10T03:07:01.673Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33551\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T13:50:09.231560Z\"}}}], \"references\": [{\"url\": \"https://bugs.launchpad.net/keystone/+bug/2142138\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T13:50:04.020Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"OpenStack\", \"product\": \"Keystone\", \"versions\": [{\"status\": \"affected\", \"version\": \"14.0.0\", \"lessThan\": \"26.1.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"27.0.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"28.0.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"29.0.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://bugs.launchpad.net/keystone/+bug/2142138\"}, {\"url\": \"https://security.openstack.org/ossa/OSSA-2026-005.html\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"26.1.1\", \"versionStartIncluding\": \"14.0.0\"}, {\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"27.0.0\", \"versionStartIncluding\": \"27.0.0\"}, {\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"28.0.0\", \"versionStartIncluding\": \"28.0.0\"}, {\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"29.0.0\", \"versionStartIncluding\": \"29.0.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-04-10T02:02:56.184Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33551\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T13:50:43.389Z\", \"dateReserved\": \"2026-03-22T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2026-04-10T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-33551
Vulnerability from fkie_nvd - Published: 2026-04-10 03:16 - Updated: 2026-06-17 10:375.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.launchpad.net/keystone/+bug/2142138 | Exploit, Issue Tracking | |
| cve@mitre.org | https://security.openstack.org/ossa/OSSA-2026-005.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2026/04/07/12 | Mailing List, Patch, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://bugs.launchpad.net/keystone/+bug/2142138 | Exploit, Issue Tracking |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Keystone",
"vendor": "OpenStack",
"versions": [
{
"lessThan": "26.1.1",
"status": "affected",
"version": "14.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "27.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "28.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "29.0.0",
"versionType": "semver"
}
]
}
],
"source": "cve@mitre.org"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57F78A4F-A6DA-4D10-B3D0-AEC6312D7485",
"versionEndExcluding": "26.1.1",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:keystone:27.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "27FFA65D-9F97-4090-A2DE-7BCECA752693",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:keystone:28.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6D194CC0-B80F-41B6-81D3-19D2A25E2B91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:keystone:29.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1701DAA0-0A2D-45AB-BF8F-EE2DA7AEF689",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."
}
],
"id": "CVE-2026-33551",
"lastModified": "2026-06-17T10:37:41.700",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-33551",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T13:50:09.231560Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-04-10T03:16:02.723",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://bugs.launchpad.net/keystone/+bug/2142138"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://bugs.launchpad.net/keystone/+bug/2142138"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
GHSA-4PHW-6824-6CFP
Vulnerability from github – Published: 2026-04-10 03:31 – Updated: 2026-06-09 11:55An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "26.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33551"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T22:09:31Z",
"nvd_published_at": "2026-04-10T03:16:02Z",
"severity": "LOW"
},
"details": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.",
"id": "GHSA-4phw-6824-6cfp",
"modified": "2026-06-09T11:55:45Z",
"published": "2026-04-10T03:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33551"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/2142138"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2026-202.yaml"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Keystone: Restricted application credentials can create EC2 credentials"
}
PYSEC-2026-202
Vulnerability from pysec - Published: 2026-04-10 03:16 - Updated: 2026-06-06 09:31An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
| Name | purl | keystone | pkg:pypi/keystone |
|---|
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "keystone",
"purl": "pkg:pypi/keystone"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "26.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"14.0.0",
"14.0.1",
"14.1.0",
"14.2.0",
"15.0.0",
"15.0.0.0rc1",
"15.0.0.0rc2",
"15.0.1",
"16.0.0",
"16.0.0.0rc1",
"16.0.0.0rc2",
"16.0.1",
"16.0.2",
"17.0.0",
"17.0.0.0rc1",
"17.0.0.0rc2",
"17.0.1",
"18.0.0",
"18.0.0.0rc1",
"18.1.0",
"19.0.0",
"19.0.0.0rc1",
"19.0.0.0rc2",
"19.0.1",
"20.0.0",
"20.0.0.0rc1",
"20.0.1",
"21.0.0",
"21.0.0.0rc1",
"21.0.1",
"22.0.0",
"22.0.0.0rc1",
"22.0.1",
"22.0.2",
"23.0.0",
"23.0.0.0rc1",
"23.0.1",
"23.0.2",
"24.0.0",
"24.0.0.0rc1",
"24.1.0",
"25.0.0",
"25.0.0.0rc1",
"26.0.0",
"26.0.0.0rc1",
"26.1.0"
]
}
],
"aliases": [
"CVE-2026-33551",
"GHSA-4phw-6824-6cfp"
],
"details": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.",
"id": "PYSEC-2026-202",
"modified": "2026-06-06T09:31:39.395371Z",
"published": "2026-04-10T03:16:02.723Z",
"references": [
{
"type": "REPORT",
"url": "https://bugs.launchpad.net/keystone/+bug/2142138"
},
{
"type": "FIX",
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
},
{
"type": "FIX",
"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4phw-6824-6cfp"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
RHSA-2026:28044
Vulnerability from csaf_redhat - Published: 2026-06-22 21:01 - Updated: 2026-07-15 12:48A flaw was found in OpenStack Keystone. This vulnerability allows an attacker to obtain a valid OpenStack's Keystone token, leading to access to unauthorized resources or privilege escalation within the OpenStack instance via sending a valid AWS (Amazon Web Services) signature to the /v3/ec2tokens or /v3/s3tokens API (Application Programming Interface) endpoints.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch | — |
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src | — |
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — |
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src | — |
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — |
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch | — |
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — |
Workaround
|
|
| Unresolved product id: 9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — |
Workaround
|
A flaw was found in OpenStack Keystone. An authenticated user with a reader role can exploit a vulnerability in the EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, the user may obtain EC2/S3 credentials that carry the full set of the parent user's S3 permissions. This effectively bypasses the role restrictions imposed on the application credential, leading to unauthorized access and privilege escalation. This issue affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API.
CWE-266 - Incorrect Privilege Assignment| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src | — | ||
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src | — | ||
| Unresolved product id: 9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — | ||
| Unresolved product id: 9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-keystone is now available for Red Hat OpenStack\nPlatform 17.1 (Wallaby).\n\nRed Hat Product Security has rated this update as having a security impact\nof Low. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nSecurity Fix(es):\n\n* OpenStack Keystone: Privilege escalation through EC2 credential creation\n(CVE-2026-33551)\n\n* OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:28044",
"url": "https://access.redhat.com/errata/RHSA-2026:28044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2415344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415344"
},
{
"category": "external",
"summary": "2451037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451037"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_28044.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform 17.1 (openstack-keystone) security update",
"tracking": {
"current_release_date": "2026-07-15T12:48:26+00:00",
"generator": {
"date": "2026-07-15T12:48:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:28044",
"initial_release_date": "2026-06-22T21:01:08+00:00",
"revision_history": [
{
"date": "2026-06-22T21:01:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-22T21:01:08+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-15T12:48:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 17.1",
"product": {
"name": "Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:17.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"product": {
"name": "openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"product_id": "openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-swift@2.27.1-17.1.20231004180819.el9ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"product": {
"name": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"product_id": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-tempest@33.0.0-17.1.20260406141650.1580f6f.el9ost?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"product": {
"name": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"product_id": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@19.0.2-17.1.20260529190847.54dd95d.el9ost?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product": {
"name": "openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_id": "openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-swift-account@2.27.1-17.1.20231004180819.el9ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product": {
"name": "openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_id": "openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-swift-container@2.27.1-17.1.20231004180819.el9ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product": {
"name": "openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_id": "openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-swift-object@2.27.1-17.1.20231004180819.el9ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product": {
"name": "openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_id": "openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-swift-proxy@2.27.1-17.1.20231004180819.el9ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product": {
"name": "python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_id": "python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-swift@2.27.1-17.1.20231004180819.el9ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product": {
"name": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_id": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-tempest@33.0.0-17.1.20260406141650.1580f6f.el9ost?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product": {
"name": "openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_id": "openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-tempest-all@33.0.0-17.1.20260406141650.1580f6f.el9ost?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product": {
"name": "python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_id": "python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tempest@33.0.0-17.1.20260406141650.1580f6f.el9ost?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product": {
"name": "python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_id": "python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tempest-tests@33.0.0-17.1.20260406141650.1580f6f.el9ost?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"product": {
"name": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"product_id": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@19.0.2-17.1.20260529190847.54dd95d.el9ost?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"product": {
"name": "python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"product_id": "python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-keystone@19.0.2-17.1.20260529190847.54dd95d.el9ost?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch"
},
"product_reference": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src"
},
"product_reference": "openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src"
},
"product_reference": "openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch"
},
"product_reference": "openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch"
},
"product_reference": "openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch"
},
"product_reference": "openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch"
},
"product_reference": "openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
},
"product_reference": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src"
},
"product_reference": "openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
},
"product_reference": "openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch"
},
"product_reference": "python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch"
},
"product_reference": "python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
},
"product_reference": "python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch as a component of Red Hat OpenStack Platform 17.1",
"product_id": "9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
},
"product_reference": "python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOS-17.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-65073",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2025-11-17T08:00:54.372992+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2415344"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenStack Keystone. This vulnerability allows an attacker to obtain a valid OpenStack\u0027s Keystone token, leading to access to unauthorized resources or privilege escalation within the OpenStack instance via sending a valid AWS (Amazon Web Services) signature to the /v3/ec2tokens or /v3/s3tokens API (Application Programming Interface) endpoints.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-keystone: OpenStack Keystone: Unauthorized access and privilege escalation via AWS signature validation flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability allows an attacker to obtain a valid OpenStack\u0027s Keystone token belonging to a valid user by sending a valid AWS signature to the /v3/ec2tokens or /v3/s3tokens API\u0027s endpoints, leading to access to unauthorized resources or privilege escalation within the OpenStack instance.\n\nThis attack is considered to have a high complexity (AC:H) due to the fact of obtaining such valid AWS token is not straight forward. To be considered vulnerable, the OpenStack deployments should expose the related API end points through a public API or external access.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch"
],
"known_not_affected": [
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-65073"
},
{
"category": "external",
"summary": "RHBZ#2415344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-65073",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65073"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-65073",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65073"
},
{
"category": "external",
"summary": "https://security.openstack.org/ossa/OSSA-2025-002.html",
"url": "https://security.openstack.org/ossa/OSSA-2025-002.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/11/04/2",
"url": "https://www.openwall.com/lists/oss-security/2025/11/04/2"
}
],
"release_date": "2025-11-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-22T21:01:08+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:28044"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-keystone: OpenStack Keystone: Unauthorized access and privilege escalation via AWS signature validation flaw"
},
{
"acknowledgments": [
{
"names": [
"Maxence Bornecque"
],
"organization": "Orange Cyberdefense CERT Vulnerability Intelligence Watch Team"
}
],
"cve": "CVE-2026-33551",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-03-24T23:40:47.060000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451037"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenStack Keystone. An authenticated user with a reader role can exploit a vulnerability in the EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, the user may obtain EC2/S3 credentials that carry the full set of the parent user\u0027s S3 permissions. This effectively bypasses the role restrictions imposed on the application credential, leading to unauthorized access and privilege escalation. This issue affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch"
],
"known_not_affected": [
"9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33551"
},
{
"category": "external",
"summary": "RHBZ#2451037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33551",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33551"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33551",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33551"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2026/04/07/12",
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
},
{
"category": "external",
"summary": "https://security.openstack.org/ossa/OSSA-2026-005.html",
"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/04/07/12",
"url": "https://www.openwall.com/lists/oss-security/2026/04/07/12"
}
],
"release_date": "2026-04-07T15:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-22T21:01:08+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:28044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:openstack-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-0:2.27.1-17.1.20231004180819.el9ost.src",
"9Base-RHOS-17.1:openstack-swift-account-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-container-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-object-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-swift-proxy-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:openstack-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.src",
"9Base-RHOS-17.1:openstack-tempest-all-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-keystone-1:19.0.2-17.1.20260529190847.54dd95d.el9ost.noarch",
"9Base-RHOS-17.1:python3-swift-0:2.27.1-17.1.20231004180819.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch",
"9Base-RHOS-17.1:python3-tempest-tests-1:33.0.0-17.1.20260406141650.1580f6f.el9ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation"
}
]
}
RHSA-2026:39808
Vulnerability from csaf_redhat - Published: 2026-07-15 09:52 - Updated: 2026-07-15 12:48A flaw was found in OpenStack Keystone. An authenticated user with a reader role can exploit a vulnerability in the EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, the user may obtain EC2/S3 credentials that carry the full set of the parent user's S3 permissions. This effectively bypasses the role restrictions imposed on the application credential, leading to unauthorized access and privilege escalation. This issue affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API.
CWE-266 - Incorrect Privilege Assignment| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch | — |
Vendor Fix
fix
|
A flaw was found in OpenStack Keystone. When using the LDAP identity backend, the system incorrectly processes the user enabled attribute if the user_enabled_invert configuration option is set to False. This error causes users marked as disabled in LDAP to be treated as enabled within Keystone, allowing them to authenticate and perform actions despite their disabled status. This can lead to unauthorized access to resources.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied project_id for an EC2-type credential was not validated against the project of the authenticating application credential. This allows the attacker to create an EC2 credential targeting a different project. Subsequently, a /v3/ec2tokens exchange would issue a Keystone token scoped to the targeted project, enabling unauthorized cross-project access and lateral movement within the credential owner's role footprint.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-keystone is now available for Red Hat OpenStack\nServices on OpenShift 18.0 (Antelope).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nSecurity Fix(es):\n\n* Keystone: OpenStack Keystone: Unauthorized cross-project access due to\nimproper validation in EC2 credential creation (CVE-2026-43001)\n\n* Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP\nuser status handling (CVE-2026-40683)\n\n* OpenStack Keystone: Privilege escalation through EC2 credential creation\n(CVE-2026-33551)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:39808",
"url": "https://access.redhat.com/errata/RHSA-2026:39808"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2451037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451037"
},
{
"category": "external",
"summary": "2458472",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458472"
},
{
"category": "external",
"summary": "2464305",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464305"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_39808.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Services on OpenShift 18.0 (openstack-keystone) security update",
"tracking": {
"current_release_date": "2026-07-15T12:48:56+00:00",
"generator": {
"date": "2026-07-15T12:48:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:39808",
"initial_release_date": "2026-07-15T09:52:02+00:00",
"revision_history": [
{
"date": "2026-07-15T09:52:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-15T09:52:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-15T12:48:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Services on OpenShift 18.0",
"product": {
"name": "Red Hat OpenStack Services on OpenShift 18.0",
"product_id": "9Base-RHOSO-18.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:18.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Services on OpenShift"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"product": {
"name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"product_id": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@23.0.3-18.0.20260610133808.9e3dfb4.el9ost?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"product": {
"name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"product_id": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@23.0.3-18.0.20260610133808.9e3dfb4.el9ost?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"product": {
"name": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"product_id": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-keystone@23.0.3-18.0.20260610133808.9e3dfb4.el9ost?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch as a component of Red Hat OpenStack Services on OpenShift 18.0",
"product_id": "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
},
"product_reference": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOSO-18.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src as a component of Red Hat OpenStack Services on OpenShift 18.0",
"product_id": "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src"
},
"product_reference": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"relates_to_product_reference": "9Base-RHOSO-18.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch as a component of Red Hat OpenStack Services on OpenShift 18.0",
"product_id": "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
},
"product_reference": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"relates_to_product_reference": "9Base-RHOSO-18.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Maxence Bornecque"
],
"organization": "Orange Cyberdefense CERT Vulnerability Intelligence Watch Team"
}
],
"cve": "CVE-2026-33551",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-03-24T23:40:47.060000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451037"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenStack Keystone. An authenticated user with a reader role can exploit a vulnerability in the EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, the user may obtain EC2/S3 credentials that carry the full set of the parent user\u0027s S3 permissions. This effectively bypasses the role restrictions imposed on the application credential, leading to unauthorized access and privilege escalation. This issue affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33551"
},
{
"category": "external",
"summary": "RHBZ#2451037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33551",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33551"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33551",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33551"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2026/04/07/12",
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
},
{
"category": "external",
"summary": "https://security.openstack.org/ossa/OSSA-2026-005.html",
"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/04/07/12",
"url": "https://www.openwall.com/lists/oss-security/2026/04/07/12"
}
],
"release_date": "2026-04-07T15:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-15T09:52:02+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:39808"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation"
},
{
"cve": "CVE-2026-40683",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"discovery_date": "2026-04-14T21:01:29.090472+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2458472"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenStack Keystone. When using the LDAP identity backend, the system incorrectly processes the user enabled attribute if the user_enabled_invert configuration option is set to False. This error causes users marked as disabled in LDAP to be treated as enabled within Keystone, allowing them to authenticate and perform actions despite their disabled status. This can lead to unauthorized access to resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "There\u0027s a flaw in OpenStack Keystone\u0027s LDAP identity backend allows unauthorized access. When the `user_enabled_invert` configuration option is set to its default of `False`, users marked as disabled in LDAP are incorrectly treated as enabled within Keystone. This enables them to authenticate and perform actions, affecting Red Hat OpenStack Platform deployments utilizing the LDAP identity backend without `user_enabled_invert=True` or `user_enabled_emulation` configured.\n\nThis flaw happens due to the fact that any non-empty string in the Python programing language are handled as `True`, openstack-keystone lacks the proper conversion from string to boolean type when reading the user enabled LDAP attribute when the `user_enabled_invert` configuration is set to false, this will lead to any previously existing user which is disabled in the LDAP side will be handled as enabled by the OpenStack Keystone.\n\nRed Hat Product Security has rated this flaw as having the severity of Moderate as for exploiting this flaw the attacker needs to have a previous access to the targeted system, additionally the impact will be limited to the same level of access the attacker had previously it had its user disabled in the LDAP side.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40683"
},
{
"category": "external",
"summary": "RHBZ#2458472",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458472"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40683",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40683"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40683",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40683"
},
{
"category": "external",
"summary": "https://bugs.launchpad.net/keystone/+bug/2121152",
"url": "https://bugs.launchpad.net/keystone/+bug/2121152"
},
{
"category": "external",
"summary": "https://bugs.launchpad.net/keystone/+bug/2141713",
"url": "https://bugs.launchpad.net/keystone/+bug/2141713"
},
{
"category": "external",
"summary": "https://review.opendev.org/958205",
"url": "https://review.opendev.org/958205"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2026/04/14/9",
"url": "https://www.openwall.com/lists/oss-security/2026/04/14/9"
}
],
"release_date": "2026-04-14T20:05:03.274000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-15T09:52:02+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:39808"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure OpenStack Keystone to correctly interpret the LDAP user enabled attribute. Set the `user_enabled_invert` option to `True` in the `keystone.conf` file.\n\nExample:\n```ini\n[ldap]\nuser_enabled_invert = True\n```\n\nAfter modifying the configuration, restart the Keystone service for the changes to take effect. This may temporarily disrupt authentication services.\n\nAdditionally the user should start using an LDAP attribute with inverted semantics (such as nsAccountLock) to match the same semantics of the keystone side.",
"product_ids": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling"
},
{
"cve": "CVE-2026-43001",
"cwe": {
"id": "CWE-1288",
"name": "Improper Validation of Consistency within Input"
},
"discovery_date": "2026-05-01T09:00:55.408726+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464305"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied project_id for an EC2-type credential was not validated against the project of the authenticating application credential. This allows the attacker to create an EC2 credential targeting a different project. Subsequently, a /v3/ec2tokens exchange would issue a Keystone token scoped to the targeted project, enabling unauthorized cross-project access and lateral movement within the credential owner\u0027s role footprint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw in OpenStack Keystone allows an attacker with an unrestricted application credential to bypass project isolation. By exploiting improper validation during EC2 credential creation, an attacker can gain unauthorized access and move laterally between projects within a Red Hat OpenStack Platform deployment, compromising multi-tenant security. If the roles from the original project the attacker holds a credential are compatible with the roles in the project the attacker is targeting, the attacker can perform the same actions granted permission from the initial project in the targeted project. Depending on the level of privileges the attacker has that means a high impact for confidentiality, availability and integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-43001"
},
{
"category": "external",
"summary": "RHBZ#2464305",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464305"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-43001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-43001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43001"
},
{
"category": "external",
"summary": "https://bugs.launchpad.net/keystone/+bug/2149775",
"url": "https://bugs.launchpad.net/keystone/+bug/2149775"
},
{
"category": "external",
"summary": "https://review.opendev.org/c/openstack/keystone/+/985804",
"url": "https://review.opendev.org/c/openstack/keystone/+/985804"
}
],
"release_date": "2026-05-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-15T09:52:02+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:39808"
},
{
"category": "workaround",
"details": "To reduce exposure, ensure that OpenStack application credentials are created with the most restrictive scope possible, limiting their permissions to only what is essential for their intended function. If EC2 credentials are not actively used within your OpenStack deployment, consider disabling the EC2 credential API endpoint in Keystone to prevent unauthorized creation of cross-project EC2 credentials. Refer to the OpenStack Keystone administration guide for detailed instructions on managing application credential scopes and disabling API endpoints. Any changes to Keystone configuration may require a service restart to take effect.",
"product_ids": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
"9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
"9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation"
}
]
}
ubuntu-cve-2026-33551
Vulnerability from osv_ubuntu
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "keystone",
"binary_version": "2:9.3.0-0ubuntu3.2"
},
{
"binary_name": "python-keystone",
"binary_version": "2:9.3.0-0ubuntu3.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "keystone",
"purl": "pkg:deb/ubuntu/keystone@2:9.3.0-0ubuntu3.2?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:8.0.0-0ubuntu1",
"2:9.0.0~b1-0ubuntu1",
"2:9.0.0~b2-0ubuntu1",
"2:9.0.0~b3-0ubuntu1",
"2:9.0.0~rc1-0ubuntu1",
"2:9.0.0-0ubuntu1",
"2:9.0.2-0ubuntu1",
"2:9.0.2-0ubuntu2",
"2:9.1.0-0ubuntu1",
"2:9.2.0-0ubuntu1",
"2:9.3.0-0ubuntu1",
"2:9.3.0-0ubuntu2",
"2:9.3.0-0ubuntu3",
"2:9.3.0-0ubuntu3.1",
"2:9.3.0-0ubuntu3.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "keystone",
"binary_version": "2:13.0.4-0ubuntu1"
},
{
"binary_name": "python-keystone",
"binary_version": "2:13.0.4-0ubuntu1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "keystone",
"purl": "pkg:deb/ubuntu/keystone@2:13.0.4-0ubuntu1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:12.0.0-0ubuntu1",
"2:13.0.0~b1-0ubuntu1",
"2:13.0.0~b2-0ubuntu1",
"2:13.0.0~b3-0ubuntu1",
"2:13.0.0~rc1-0ubuntu1",
"2:13.0.0~rc2-0ubuntu1",
"2:13.0.0-0ubuntu1",
"2:13.0.1-0ubuntu1",
"2:13.0.2-0ubuntu1",
"2:13.0.2-0ubuntu3",
"2:13.0.4-0ubuntu1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "keystone",
"binary_version": "2:17.0.1-0ubuntu2+esm1"
},
{
"binary_name": "keystone-common",
"binary_version": "2:17.0.1-0ubuntu2+esm1"
},
{
"binary_name": "python3-keystone",
"binary_version": "2:17.0.1-0ubuntu2+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "keystone",
"purl": "pkg:deb/ubuntu/keystone@2:17.0.1-0ubuntu2+esm1?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:16.0.0-0ubuntu1",
"2:17.0.0~b1~git2019121613.db81fee63-0ubuntu1",
"2:17.0.0~b2~git2020020513.99733f172-0ubuntu1",
"2:17.0.0~b3~git2020032415.9f9040257-0ubuntu1",
"2:17.0.0~b3~git2020032415.9f9040257-0ubuntu2",
"2:17.0.0~b3~git2020041013.7bb6314e4-0ubuntu1",
"2:17.0.0-0ubuntu0.20.04.1",
"2:17.0.1-0ubuntu1",
"2:17.0.1-0ubuntu2",
"2:17.0.1-0ubuntu2+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "keystone",
"binary_version": "2:21.0.1-0ubuntu2.4"
},
{
"binary_name": "keystone-common",
"binary_version": "2:21.0.1-0ubuntu2.4"
},
{
"binary_name": "python3-keystone",
"binary_version": "2:21.0.1-0ubuntu2.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "keystone",
"purl": "pkg:deb/ubuntu/keystone@2:21.0.1-0ubuntu2.4?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:21.0.1-0ubuntu2.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:20.0.0-0ubuntu1",
"2:20.0.0+git2021120815.2ddf8f321-0ubuntu1",
"2:20.0.0+git2022011217.771c943ad-0ubuntu1",
"2:20.0.0+git2022030313.a3fc9e7c3-0ubuntu1",
"2:21.0.0-0ubuntu1",
"2:21.0.1-0ubuntu1",
"2:21.0.1-0ubuntu2",
"2:21.0.1-0ubuntu2.1",
"2:21.0.1-0ubuntu2.2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "keystone",
"binary_version": "2:25.0.0-0ubuntu1.4"
},
{
"binary_name": "keystone-common",
"binary_version": "2:25.0.0-0ubuntu1.4"
},
{
"binary_name": "python3-keystone",
"binary_version": "2:25.0.0-0ubuntu1.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "keystone",
"purl": "pkg:deb/ubuntu/keystone@2:25.0.0-0ubuntu1.4?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:25.0.0-0ubuntu1.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:24.0.0-0ubuntu1",
"2:24.0.0+git2024011916.adfa92b4-0ubuntu1",
"2:25.0.0~rc1-0ubuntu1",
"2:25.0.0-0ubuntu1",
"2:25.0.0-0ubuntu1.1",
"2:25.0.0-0ubuntu1.2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "keystone",
"binary_version": "2:28.0.0-0ubuntu1.3"
},
{
"binary_name": "keystone-common",
"binary_version": "2:28.0.0-0ubuntu1.3"
},
{
"binary_name": "python3-keystone",
"binary_version": "2:28.0.0-0ubuntu1.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "keystone",
"purl": "pkg:deb/ubuntu/keystone@2:28.0.0-0ubuntu1.3?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:28.0.0-0ubuntu1.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:27.0.0-0ubuntu1",
"2:27.0.0+git2025080113.e066e18ab-0ubuntu1",
"2:28.0.0~rc1-0ubuntu1",
"2:28.0.0-0ubuntu1",
"2:28.0.0-0ubuntu1.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "keystone",
"binary_version": "2:29.0.0-0ubuntu1.2"
},
{
"binary_name": "keystone-common",
"binary_version": "2:29.0.0-0ubuntu1.2"
},
{
"binary_name": "python3-keystone",
"binary_version": "2:29.0.0-0ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "keystone",
"purl": "pkg:deb/ubuntu/keystone@2:29.0.0-0ubuntu1.2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:29.0.0-0ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:28.0.0-0ubuntu1",
"2:28.0.0-0ubuntu2",
"2:28.0.0+git20260119.61.8a42793e7-0ubuntu1",
"2:29.0.0~rc1-0ubuntu1",
"2:29.0.0-0ubuntu1"
]
}
],
"aliases": [],
"details": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.",
"id": "UBUNTU-CVE-2026-33551",
"modified": "2026-06-17T00:05:08Z",
"published": "2026-04-10T03:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-33551"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33551"
},
{
"type": "REPORT",
"url": "https://launchpad.net/bugs/2142138"
},
{
"type": "REPORT",
"url": "https://www.openwall.com/lists/oss-security/2026/04/07/12"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8433-1"
}
],
"related": [
"USN-8433-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-33551"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.