CVE-2026-33551 (GCVE-0-2026-33551)

Vulnerability from cvelistv5 – Published: 2026-04-10 00:00 – Updated: 2026-04-10 13:50
VLAI?
Summary
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
Severity ?
3.5 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
OpenStack Keystone Affected: 14.0.0 , < 26.1.1 (semver)
Affected: 27.0.0 (semver)
Affected: 28.0.0 (semver)
Affected: 29.0.0 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T03:07:01.673Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33551",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T13:50:09.231560Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T13:50:43.389Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://bugs.launchpad.net/keystone/+bug/2142138"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keystone",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "26.1.1",
              "status": "affected",
              "version": "14.0.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "27.0.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "28.0.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "29.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.1.1",
                  "versionStartIncluding": "14.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "27.0.0",
                  "versionStartIncluding": "27.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "28.0.0",
                  "versionStartIncluding": "28.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "29.0.0",
                  "versionStartIncluding": "29.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T02:02:56.184Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.launchpad.net/keystone/+bug/2142138"
        },
        {
          "url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-33551",
    "datePublished": "2026-04-10T00:00:00.000Z",
    "dateReserved": "2026-03-22T00:00:00.000Z",
    "dateUpdated": "2026-04-10T13:50:43.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33551\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2026-04-10T03:16:02.723\",\"lastModified\":\"2026-04-10T14:16:35.027\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://bugs.launchpad.net/keystone/+bug/2142138\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.openstack.org/ossa/OSSA-2026-005.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/04/07/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugs.launchpad.net/keystone/+bug/2142138\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/04/07/12\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-10T03:07:01.673Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33551\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T13:50:09.231560Z\"}}}], \"references\": [{\"url\": \"https://bugs.launchpad.net/keystone/+bug/2142138\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T13:50:04.020Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"OpenStack\", \"product\": \"Keystone\", \"versions\": [{\"status\": \"affected\", \"version\": \"14.0.0\", \"lessThan\": \"26.1.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"27.0.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"28.0.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"29.0.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://bugs.launchpad.net/keystone/+bug/2142138\"}, {\"url\": \"https://security.openstack.org/ossa/OSSA-2026-005.html\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user\u0027s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"26.1.1\", \"versionStartIncluding\": \"14.0.0\"}, {\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"27.0.0\", \"versionStartIncluding\": \"27.0.0\"}, {\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"28.0.0\", \"versionStartIncluding\": \"28.0.0\"}, {\"criteria\": \"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"29.0.0\", \"versionStartIncluding\": \"29.0.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-04-10T02:02:56.184Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33551\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T13:50:43.389Z\", \"dateReserved\": \"2026-03-22T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2026-04-10T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.