EUVD-2026-21278
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
4Description
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
Analysis
OpenStack Keystone 14 through 29.x allows authenticated users with restricted application credentials to create EC2 credentials that inherit the parent user's full S3 permissions, bypassing role restrictions. This privilege escalation affects only deployments combining restricted application credentials with the EC2/S3 compatibility API (swift3/s3api), and requires valid authentication credentials and moderate attack complexity to exploit.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2:18.0.0-3+deb11u1 | - |
| bullseye (security) | vulnerable | 2:18.1.0-1+deb11u2 | - |
| bookworm, bookworm (security) | vulnerable | 2:22.0.2-0+deb12u1 | - |
| trixie (security), trixie | vulnerable | 2:27.0.0-3+deb13u1 | - |
| forky, sid | vulnerable | 2:29.0.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today