Skip to main content

OpenStack Keystone CVE-2026-42998

MEDIUM
Incorrect Authorization (CWE-863)
2026-05-28 mitre
6.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Red Hat
4.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 19:30 vuln.today

DescriptionCVE.org

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

AnalysisAI

User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

OpenStack Keystone (CPE: cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*) is the identity and authentication service for OpenStack cloud deployments, responsible for issuing scoped tokens used across all OpenStack APIs. Application credentials are a Keystone feature that allows users and automation pipelines to authenticate non-interactively using a pre-generated credential pair (ID and secret) tied to a specific user account, without exposing the account password. The vulnerability is rooted in CWE-863 (Incorrect Authorization): the application credential authentication plugin validates the credential ID and secret correctly but fails to assert that the 'user' field supplied in the authentication request body actually corresponds to the owner of that application credential. This breaks the binding assumption of application credentials - that the authenticating identity is the same as the credential owner. The Scope:Changed (S:C) vector element reflects that a successful exploit crosses privilege boundaries, producing a token scoped to resources and roles belonging to the victim rather than the attacker.

RemediationAI

Upgrade OpenStack Keystone to version 29.0.2 or later, which introduces the ownership check validating that the user identity supplied in the authentication request matches the owner of the presented application credential. The fix is documented in OpenStack Security Advisory OSSA-2026-015 at https://security.openstack.org/ossa/OSSA-2026-015.html. For operators unable to patch immediately, a compensating control is to audit and restrict which users have application credentials by reviewing existing credentials via the Keystone API and revoking those belonging to accounts that should not be performing cross-project operations. Additionally, enforcing strict role separation - ensuring users in shared projects do not hold overlapping roles - limits the effective scope of any impersonation token, since the issued token only carries the role intersection. Disabling application credential authentication entirely would fully block this attack vector but would break any automation or service accounts relying on this feature, so that trade-off must be evaluated against operational requirements.

Vendor StatusVendor

Share

CVE-2026-42998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy