[oss-security] [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)

Jeremy Stanley Thu, 15 Jan 2026 07:33:15 -0800

====================================================================
OSSA-2026-001: Privilege Escalation via Identity Headers in External
               OAuth2 Tokens
====================================================================


:Date: January 15, 2026
:CVE: CVE-2026-22797

Affects
~~~~~~~
- Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1

Description
~~~~~~~~~~~

Grzegorz Grasza with Red Hat reported a vulnerability in the external_oauth2_token middleware for keystonemiddleware. This middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.


Patches
~~~~~~~
- https://review.opendev.org/973499 (2024.1/caracal)
- https://review.opendev.org/973497 (2024.2/dalmatian)
- https://review.opendev.org/973496 (2025.1/epoxy)
- https://review.opendev.org/973495 (2025.2/flamingo)
- https://review.opendev.org/973494 (2026.1/gazpacho)

Credits
~~~~~~~
- Grzegorz Grasza from Red Hat (CVE-2026-22797)

References
~~~~~~~~~~
- https://launchpad.net/bugs/2129018
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797

Notes
~~~~~
- The unmaintained/2024.1 branches will receive no new point releases,
  but patches for them are provided as a courtesy.
- This bug was possible because the middleware only conditionally set
  certain headers (e.g., X-Is-Admin-Project was only set when the token
  had admin privileges), leaving spoofed values intact when conditions
  were not met.
- The fix adds a call to remove_auth_headers() at the start of request
  processing to sanitize all incoming identity headers, matching the
  behavior of the main auth_token middleware.
- The external_oauth2_token middleware was introduced in
  keystonemiddleware 10.0.0.

--
Jeremy Stanley
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

signature.asc
Description: PGP signature

[oss-security] [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)

Reply via email to