Skip to main content

OpenStack Keystone CVE-2026-43000

HIGH
Incorrect Authorization (CWE-863)
2026-05-28 mitre
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

AV:N to the Keystone API and PR:L for a member-role account, but AC:H because success requires chaining a separate application-credential impersonation flaw and a victim holding admin; full C/I/A:H on admin takeover.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
8.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 30, 2026 - 04:19 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:18 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:18 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
6.0 (MEDIUM) 8.8 (HIGH)
Analysis Generated
May 28, 2026 - 19:30 vuln.today

DescriptionNVD

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.

AnalysisAI

Privilege escalation in OpenStack Keystone before 29.0.2 lets a user holding only the member role on a project chain unrestricted application credentials with Keystone trusts to obtain admin. Because Keystone validates delegated roles against the victim's actual database role assignments rather than the roles on the requesting token, an attacker who can impersonate a victim's token can mint a trust delegating the victim's admin role to themselves, with all activity logged under the victim's identity. Exploitation is only practical when paired with a separate application-credential impersonation flaw; EPSS is very low (0.03%) and there is no public exploit identified at time of analysis.

Technical ContextAI

Keystone is the centralized identity, authentication, and authorization service for OpenStack, issuing the tokens that govern access to every other OpenStack service (Nova, Neutron, Cinder, etc.). The flaw is a CWE-863 Incorrect Authorization issue in Keystone's trust and application-credential delegation logic: trusts let a trustor delegate a subset of roles to a trustee, and the trustor-validation step confirms the requesting token carries the trustor's identity. The defect is that role validation for the trust is performed against the trustor/victim's persisted role assignments in the database instead of against the (potentially constrained) roles actually present on the requesting token, so an impersonated token that carries the victim's identity passes validation and can delegate the victim's full privilege set, including admin. The single affected CPE is cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: upgrade Keystone to 29.0.2 or later (the first fixed release), following OSSA-2026-015 (https://security.openstack.org/ossa/OSSA-2026-015.html); operators running distro packages should apply the corresponding Ubuntu update from USN-8433-1 or the Red Hat errata referenced in their VEX (https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43000.json). Because exploitation depends on chaining with an application-credential impersonation flaw, patch any related application-credential vulnerabilities concurrently. Until patched, reduce exposure by restricting who can create application credentials and trusts - for example tighten the relevant Keystone policy rules (identity:create_application_credential, identity:create_trust) so untrusted member-role users cannot mint unrestricted application credentials, accepting the trade-off that legitimate automation relying on self-service credentials/trusts will break. Audit existing trusts and application credentials for unexpected admin-role delegations and revoke suspicious ones; note that because malicious actions are logged under the victim's identity, log review alone is unreliable for detection.

CVE-2017-15879 HIGH POC
8.8 Oct 24

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCS

CVE-2022-39382 CRITICAL POC
9.8 Nov 03

Keystone is a headless CMS for Node.js - built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `

CVE-2022-39322 CRITICAL POC
9.8 Oct 25

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Rated critical severity (CVS

CVE-2022-29354 CRITICAL POC
9.8 May 16

An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrar

CVE-2017-16570 HIGH POC
8.8 Nov 06

KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureL

CVE-2019-19687 HIGH POC
8.8 Dec 09

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Rated high severity (CVSS

CVE-2021-38155 HIGH POC
7.5 Aug 06

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allow

CVE-2017-15878 MEDIUM POC
6.1 Oct 24

A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-be

CVE-2022-2447 MEDIUM POC
6.6 Sep 01

A flaw was found in Keystone. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. Public explo

CVE-2014-3520 MEDIUM POC
6.5 Oct 26

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticate

CVE-2014-0204 MEDIUM POC
6.5 Nov 03

OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the s

CVE-2013-2059 MEDIUM POC
6.0 May 21

OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revo

Vendor StatusVendor

Share

CVE-2026-43000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy