Keystone
Monthly
User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
RBAC authorization bypass in OpenStack Keystone allows any authenticated low-privilege user to inject arbitrary policy target attributes into the policy enforcement context, overwriting database-verified identity data and impersonating other users or projects. Affected deployments span Rocky (14.0.0) through all versions prior to 29.0.2, a roughly eight-year window introduced by commit 5ea59f52. No public exploit code or CISA KEV listing exists at time of analysis, but the network-exploitable, changed-scope nature of the flaw makes it a meaningful risk in multi-tenant OpenStack environments.
Privilege escalation in OpenStack Keystone before 29.0.2 allows an authenticated attacker holding only the member role on a project to gain full admin access by chaining an application credential impersonation vulnerability with a logic flaw in Keystone trust delegation. When an attacker uses impersonated credentials to carry a victim admin's identity, Keystone's trust creation logic incorrectly validates delegated roles against the victim's actual database role assignments rather than the roles encoded in the requesting token - permitting the attacker to create a trust that confers the victim's admin role. The resulting trust persists independently and can be used to mint additional trusts and application credentials for sustained access, with all activity attributed to the victim's identity. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.
OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.
Keystone is a content management system for Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
RBAC authorization bypass in OpenStack Keystone allows any authenticated low-privilege user to inject arbitrary policy target attributes into the policy enforcement context, overwriting database-verified identity data and impersonating other users or projects. Affected deployments span Rocky (14.0.0) through all versions prior to 29.0.2, a roughly eight-year window introduced by commit 5ea59f52. No public exploit code or CISA KEV listing exists at time of analysis, but the network-exploitable, changed-scope nature of the flaw makes it a meaningful risk in multi-tenant OpenStack environments.
Privilege escalation in OpenStack Keystone before 29.0.2 allows an authenticated attacker holding only the member role on a project to gain full admin access by chaining an application credential impersonation vulnerability with a logic flaw in Keystone trust delegation. When an attacker uses impersonated credentials to carry a victim admin's identity, Keystone's trust creation logic incorrectly validates delegated roles against the victim's actual database role assignments rather than the roles encoded in the requesting token - permitting the attacker to create a trust that confers the victim's admin role. The resulting trust persists independently and can be used to mint additional trusts and application credentials for sustained access, with all activity attributed to the victim's identity. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.
OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.
Keystone is a content management system for Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.