RHSA-2026:39808

Vulnerability from csaf_redhat - Published: 2026-07-15 09:52 - Updated: 2026-07-15 12:48
Summary
Red Hat Security Advisory: Red Hat OpenStack Services on OpenShift 18.0 (openstack-keystone) security update
Severity
Important
Notes
Topic: An update for openstack-keystone is now available for Red Hat OpenStack Services on OpenShift 18.0 (Antelope). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Keystone is a Python implementation of the OpenStack (http://www.openstack.org) identity service API. Security Fix(es): * Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation (CVE-2026-43001) * Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling (CVE-2026-40683) * OpenStack Keystone: Privilege escalation through EC2 credential creation (CVE-2026-33551) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

A flaw was found in OpenStack Keystone. An authenticated user with a reader role can exploit a vulnerability in the EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, the user may obtain EC2/S3 credentials that carry the full set of the parent user's S3 permissions. This effectively bypasses the role restrictions imposed on the application credential, leading to unauthorized access and privilege escalation. This issue affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API.

CWE-266 - Incorrect Privilege Assignment
Affected products
Product Identifier Version Remediation
Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch
Vendor Fix fix
Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src
Vendor Fix fix
Unresolved product id: 9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch
Vendor Fix fix
Threats
Impact Low

A flaw was found in OpenStack Keystone. When using the LDAP identity backend, the system incorrectly processes the user enabled attribute if the user_enabled_invert configuration option is set to False. This error causes users marked as disabled in LDAP to be treated as enabled within Keystone, allowing them to authenticate and perform actions despite their disabled status. This can lead to unauthorized access to resources.

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Affected products
Product Identifier Version Remediation
Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch
Vendor Fix fix
Workaround
Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src
Vendor Fix fix
Workaround
Unresolved product id: 9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch
Vendor Fix fix
Workaround
Threats
Impact Moderate

A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied project_id for an EC2-type credential was not validated against the project of the authenticating application credential. This allows the attacker to create an EC2 credential targeting a different project. Subsequently, a /v3/ec2tokens exchange would issue a Keystone token scoped to the targeted project, enabling unauthorized cross-project access and lateral movement within the credential owner's role footprint.

CWE-1288 - Improper Validation of Consistency within Input
Affected products
Product Identifier Version Remediation
Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch
Vendor Fix fix
Workaround
Unresolved product id: 9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src
Vendor Fix fix
Workaround
Unresolved product id: 9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch
Vendor Fix fix
Workaround
Threats
Impact Important
References
URL Category
https://access.redhat.com/errata/RHSA-2026:39808 self
https://access.redhat.com/security/updates/classi… external
https://bugzilla.redhat.com/show_bug.cgi?id=2451037 external
https://bugzilla.redhat.com/show_bug.cgi?id=2458472 external
https://bugzilla.redhat.com/show_bug.cgi?id=2464305 external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2026-33551 self
https://bugzilla.redhat.com/show_bug.cgi?id=2451037 external
https://www.cve.org/CVERecord?id=CVE-2026-33551 external
https://nvd.nist.gov/vuln/detail/CVE-2026-33551 external
http://www.openwall.com/lists/oss-security/2026/0… external
https://security.openstack.org/ossa/OSSA-2026-005.html external
https://www.openwall.com/lists/oss-security/2026/… external
https://access.redhat.com/security/cve/CVE-2026-40683 self
https://bugzilla.redhat.com/show_bug.cgi?id=2458472 external
https://www.cve.org/CVERecord?id=CVE-2026-40683 external
https://nvd.nist.gov/vuln/detail/CVE-2026-40683 external
https://bugs.launchpad.net/keystone/+bug/2121152 external
https://bugs.launchpad.net/keystone/+bug/2141713 external
https://review.opendev.org/958205 external
https://www.openwall.com/lists/oss-security/2026/… external
https://access.redhat.com/security/cve/CVE-2026-43001 self
https://bugzilla.redhat.com/show_bug.cgi?id=2464305 external
https://www.cve.org/CVERecord?id=CVE-2026-43001 external
https://nvd.nist.gov/vuln/detail/CVE-2026-43001 external
https://bugs.launchpad.net/keystone/+bug/2149775 external
https://review.opendev.org/c/openstack/keystone/+… external
Acknowledgments
Orange Cyberdefense CERT Vulnerability Intelligence Watch Team Maxence Bornecque

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for openstack-keystone is now available for Red Hat OpenStack\nServices on OpenShift 18.0 (Antelope).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nSecurity Fix(es):\n\n* Keystone: OpenStack Keystone: Unauthorized cross-project access due to\nimproper validation in EC2 credential creation (CVE-2026-43001)\n\n* Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP\nuser status handling (CVE-2026-40683)\n\n* OpenStack Keystone: Privilege escalation through EC2 credential creation\n(CVE-2026-33551)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:39808",
        "url": "https://access.redhat.com/errata/RHSA-2026:39808"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2451037",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451037"
      },
      {
        "category": "external",
        "summary": "2458472",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458472"
      },
      {
        "category": "external",
        "summary": "2464305",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464305"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_39808.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenStack Services on OpenShift 18.0 (openstack-keystone) security update",
    "tracking": {
      "current_release_date": "2026-07-15T12:48:56+00:00",
      "generator": {
        "date": "2026-07-15T12:48:56+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.3.2"
        }
      },
      "id": "RHSA-2026:39808",
      "initial_release_date": "2026-07-15T09:52:02+00:00",
      "revision_history": [
        {
          "date": "2026-07-15T09:52:02+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-07-15T09:52:02+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-07-15T12:48:56+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenStack Services on OpenShift 18.0",
                "product": {
                  "name": "Red Hat OpenStack Services on OpenShift 18.0",
                  "product_id": "9Base-RHOSO-18.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:18.0::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Services on OpenShift"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
                "product": {
                  "name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
                  "product_id": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@23.0.3-18.0.20260610133808.9e3dfb4.el9ost?arch=src\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
                "product": {
                  "name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
                  "product_id": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@23.0.3-18.0.20260610133808.9e3dfb4.el9ost?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
                "product": {
                  "name": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
                  "product_id": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python3-keystone@23.0.3-18.0.20260610133808.9e3dfb4.el9ost?arch=noarch\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch as a component of Red Hat OpenStack Services on OpenShift 18.0",
          "product_id": "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
        },
        "product_reference": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
        "relates_to_product_reference": "9Base-RHOSO-18.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src as a component of Red Hat OpenStack Services on OpenShift 18.0",
          "product_id": "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src"
        },
        "product_reference": "openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
        "relates_to_product_reference": "9Base-RHOSO-18.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch as a component of Red Hat OpenStack Services on OpenShift 18.0",
          "product_id": "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
        },
        "product_reference": "python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
        "relates_to_product_reference": "9Base-RHOSO-18.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Maxence Bornecque"
          ],
          "organization": "Orange Cyberdefense CERT Vulnerability Intelligence Watch Team"
        }
      ],
      "cve": "CVE-2026-33551",
      "cwe": {
        "id": "CWE-266",
        "name": "Incorrect Privilege Assignment"
      },
      "discovery_date": "2026-03-24T23:40:47.060000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451037"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in OpenStack Keystone. An authenticated user with a reader role can exploit a vulnerability in the EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, the user may obtain EC2/S3 credentials that carry the full set of the parent user\u0027s S3 permissions. This effectively bypasses the role restrictions imposed on the application credential, leading to unauthorized access and privilege escalation. This issue affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
          "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
          "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33551"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451037",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451037"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33551",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33551"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33551",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33551"
        },
        {
          "category": "external",
          "summary": "http://www.openwall.com/lists/oss-security/2026/04/07/12",
          "url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"
        },
        {
          "category": "external",
          "summary": "https://security.openstack.org/ossa/OSSA-2026-005.html",
          "url": "https://security.openstack.org/ossa/OSSA-2026-005.html"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2026/04/07/12",
          "url": "https://www.openwall.com/lists/oss-security/2026/04/07/12"
        }
      ],
      "release_date": "2026-04-07T15:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-15T09:52:02+00:00",
          "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:39808"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation"
    },
    {
      "cve": "CVE-2026-40683",
      "cwe": {
        "id": "CWE-843",
        "name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
      },
      "discovery_date": "2026-04-14T21:01:29.090472+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2458472"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in OpenStack Keystone. When using the LDAP identity backend, the system incorrectly processes the user enabled attribute if the user_enabled_invert configuration option is set to False. This error causes users marked as disabled in LDAP to be treated as enabled within Keystone, allowing them to authenticate and perform actions despite their disabled status. This can lead to unauthorized access to resources.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "There\u0027s a flaw in OpenStack Keystone\u0027s LDAP identity backend allows unauthorized access. When the `user_enabled_invert` configuration option is set to its default of `False`, users marked as disabled in LDAP are incorrectly treated as enabled within Keystone. This enables them to authenticate and perform actions, affecting Red Hat OpenStack Platform deployments utilizing the LDAP identity backend without `user_enabled_invert=True` or `user_enabled_emulation` configured.\n\nThis flaw happens due to the fact that any non-empty string in the Python programing language are handled as `True`, openstack-keystone lacks the proper conversion from string to boolean type when reading the user enabled LDAP attribute when the `user_enabled_invert` configuration is set to false, this will lead to any previously existing user which is disabled in the LDAP side will be handled as enabled by the OpenStack Keystone.\n\nRed Hat Product Security has rated this flaw as having the severity of Moderate as for exploiting this flaw the attacker needs to have a previous access to the targeted system, additionally the impact will be limited to the same level of access the attacker had previously it had its user disabled in the LDAP side.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
          "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
          "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-40683"
        },
        {
          "category": "external",
          "summary": "RHBZ#2458472",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458472"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-40683",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40683"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40683",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40683"
        },
        {
          "category": "external",
          "summary": "https://bugs.launchpad.net/keystone/+bug/2121152",
          "url": "https://bugs.launchpad.net/keystone/+bug/2121152"
        },
        {
          "category": "external",
          "summary": "https://bugs.launchpad.net/keystone/+bug/2141713",
          "url": "https://bugs.launchpad.net/keystone/+bug/2141713"
        },
        {
          "category": "external",
          "summary": "https://review.opendev.org/958205",
          "url": "https://review.opendev.org/958205"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2026/04/14/9",
          "url": "https://www.openwall.com/lists/oss-security/2026/04/14/9"
        }
      ],
      "release_date": "2026-04-14T20:05:03.274000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-15T09:52:02+00:00",
          "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:39808"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, configure OpenStack Keystone to correctly interpret the LDAP user enabled attribute. Set the `user_enabled_invert` option to `True` in the `keystone.conf` file.\n\nExample:\n```ini\n[ldap]\nuser_enabled_invert = True\n```\n\nAfter modifying the configuration, restart the Keystone service for the changes to take effect. This may temporarily disrupt authentication services.\n\nAdditionally the user should start using an LDAP attribute with inverted semantics (such as nsAccountLock) to match the same semantics of the keystone side.",
          "product_ids": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling"
    },
    {
      "cve": "CVE-2026-43001",
      "cwe": {
        "id": "CWE-1288",
        "name": "Improper Validation of Consistency within Input"
      },
      "discovery_date": "2026-05-01T09:00:55.408726+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2464305"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied project_id for an EC2-type credential was not validated against the project of the authenticating application credential. This allows the attacker to create an EC2 credential targeting a different project. Subsequently, a /v3/ec2tokens exchange would issue a Keystone token scoped to the targeted project, enabling unauthorized cross-project access and lateral movement within the credential owner\u0027s role footprint.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw in OpenStack Keystone allows an attacker with an unrestricted application credential to bypass project isolation. By exploiting improper validation during EC2 credential creation, an attacker can gain unauthorized access and move laterally between projects within a Red Hat OpenStack Platform deployment, compromising multi-tenant security. If the roles from the original project the attacker holds a credential are compatible with the roles in the project the attacker is targeting, the attacker can perform the same actions granted permission from the initial project in the targeted project. Depending on the level of privileges the attacker has that means a high impact for confidentiality, availability and integrity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
          "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
          "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-43001"
        },
        {
          "category": "external",
          "summary": "RHBZ#2464305",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464305"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-43001",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-43001"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-43001",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43001"
        },
        {
          "category": "external",
          "summary": "https://bugs.launchpad.net/keystone/+bug/2149775",
          "url": "https://bugs.launchpad.net/keystone/+bug/2149775"
        },
        {
          "category": "external",
          "summary": "https://review.opendev.org/c/openstack/keystone/+/985804",
          "url": "https://review.opendev.org/c/openstack/keystone/+/985804"
        }
      ],
      "release_date": "2026-05-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-15T09:52:02+00:00",
          "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:39808"
        },
        {
          "category": "workaround",
          "details": "To reduce exposure, ensure that OpenStack application credentials are created with the most restrictive scope possible, limiting their permissions to only what is essential for their intended function. If EC2 credentials are not actively used within your OpenStack deployment, consider disabling the EC2 credential API endpoint in Keystone to prevent unauthorized creation of cross-project EC2 credentials. Refer to the OpenStack Keystone administration guide for detailed instructions on managing application credential scopes and disabling API endpoints. Any changes to Keystone configuration may require a service restart to take effect.",
          "product_ids": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch",
            "9Base-RHOSO-18.0:openstack-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.src",
            "9Base-RHOSO-18.0:python3-keystone-1:23.0.3-18.0.20260610133808.9e3dfb4.el9ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…