Skip to main content

OpenStack Keystone CVE-2026-42999

MEDIUM
Incorrect Authorization (CWE-863)
2026-05-28 mitre
Authentication Bypass Python Keystone
6.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 19:30 vuln.today

DescriptionNVD

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).

AnalysisAI

RBAC authorization bypass in OpenStack Keystone allows any authenticated low-privilege user to inject arbitrary policy target attributes into the policy enforcement context, overwriting database-verified identity data and impersonating other users or projects. Affected deployments span Rocky (14.0.0) through all versions prior to 29.0.2, a roughly eight-year window introduced by commit 5ea59f52. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42999 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy