OpenStack Keystone CVE-2026-42999
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Any authenticated user (PR:L) can reach the network API (AV:N) and trivially inject target attributes (AC:L), enabling cross-tenant read, modify, and delete (C/I/A:H).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
AnalysisAI
Authorization bypass in OpenStack Keystone before 29.0.2 lets any authenticated user override trusted RBAC policy targets by injecting attributes like user_id or project_id into the JSON request body. The enforce_call routine unconditionally merges the raw request body over database-derived target data, so low-privileged users can perform operations on resources owned by other users or projects. No public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.03%), but the flaw is trivially exploitable by any account and a vendor patch is available.
Technical ContextAI
Keystone is the centralized identity and authorization service for OpenStack, and its policy enforcer (oslo.policy / RBAC layer) is the gatekeeper for nearly every API operation across the cloud. The root cause is a CWE-863 incorrect authorization: in enforce_call, the code executes policy_dict.update(json_input.copy()), merging the attacker-controlled request body into the policy enforcement dictionary AFTER trusted target attributes were populated from database lookups, allowing the untrusted values to win. Because flask.request.get_json is called with force=True, the body is parsed and merged regardless of Content-Type header or HTTP method, widening the trigger surface. The affected component is cpe:2.3:a:openstack:keystone, written in Python, and the defect was introduced in commit 5ea59f52 dating back to the Rocky/14.0.0 release, meaning a long span of releases is impacted.
RemediationAI
Vendor-released patch: upgrade OpenStack Keystone to 29.0.2 or later, which corrects enforce_call so the untrusted request body no longer overwrites database-derived policy targets. Distribution users should apply their packaged fixes - Ubuntu via USN-8433-1 (https://ubuntu.com/security/notices/USN-8433-1) and Red Hat per the advisory at https://access.redhat.com/security/cve/CVE-2026-42999 - and consult OSSA-2026-015 (https://security.openstack.org/ossa/OSSA-2026-015.html) for backport guidance to older supported branches (the bug reaches back to Rocky/14.0.0). If immediate patching is impossible, compensating controls are limited because the flaw is in the core enforcement path: place Keystone behind an API gateway or WSGI middleware that strips or rejects JSON request bodies on GET/DELETE and other methods that should not carry payloads (trade-off: may break clients that rely on Keystone's force=True parsing), tighten and monitor API audit logs for requests where body-supplied user_id/project_id differs from the token scope, and restrict API exposure to trusted networks to reduce the authenticated attacker population (trade-off: does not stop a legitimate-but-malicious tenant). These are stopgaps only - upgrading to 29.0.2 is the sole complete fix.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today