OpenStack Keystone CVE-2026-44394
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
AnalysisAI
OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.
Technical ContextAI
OpenStack Keystone is the identity service for OpenStack, providing authentication and authorization via token issuance. The federated identity subsystem integrates external Identity Providers (IdPs) using SAML2 or OpenID Connect, mapping external assertions to local Keystone identities. When a federated user rescopes a token (changing the project or domain scope), the mapped authentication plugin's handle_scoped_token() function constructs the authentication response. The bug (CWE-863: Incorrect Authorization) manifests as a logic gap: the function does not copy the original token's expires_at into the response payload, so the token provider's fallback behavior issues a new token with a fresh default TTL - typically configured by the operator as a site-wide maximum. The affected CPE is cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:* for all versions before 29.0.2. This is a recurrence of CVE-2012-3426, which described a similar TTL inheritance failure in an earlier Keystone release, indicating the fix from that era did not cover the federated code path introduced later.
RemediationAI
Upgrade OpenStack Keystone to version 29.0.2 or later, as confirmed by the vendor in OSSA-2026-015 (https://security.openstack.org/ossa/OSSA-2026-015.html). This is the primary and recommended fix. If immediate upgrade is not feasible, operators can implement the following compensating controls with noted trade-offs: First, disable federated identity (SAML2/OIDC) entirely if it is not operationally required - this eliminates the vulnerable code path but removes all federated SSO capability. Second, reduce the default token TTL to the minimum operationally acceptable value in keystone.conf ([token] expiration = <seconds>); this does not prevent the bypass but limits the window of unauthorized access per rescoping cycle. Third, deploy token audit logging and alert on users who rescope tokens at unusually high frequency, which can detect abuse without blocking legitimate use. Note that none of the workarounds fully remediate the policy bypass - only patching to 29.0.2 closes the vulnerability.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today