[oss-security] [OSSA-2026-015] OpenStack Keystone: Multiple credential delegation and authorization bypass vulnerabilities (CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394)

Goutham Pacha Ravi Thu, 28 May 2026 13:58:26 -0700

==================================================================================================

OSSA-2026-015: Multiple credential delegation and authorization bypass vulnerabilities in Keystone

==================================================================================================


:Date: May 28, 2026
:CVE: CVE-2026-42998,
      CVE-2026-42999,
      CVE-2026-43000,
      CVE-2026-43001,
      CVE-2026-44394


Affects
~~~~~~~
- Keystone: >=14.0.0 <27.0.2, >=28.0.0 <28.0.2, >=29.0.0 <29.0.2


Description
~~~~~~~~~~~

Boris Bobrov from SAP SE reported that an authenticated attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint to read credential secrets, create credentials for arbitrary users, and escalate to cloud admin (CVE-2026-42999). Application credential authentication does not verify the caller owns the credential, enabling user impersonation within a shared project (CVE-2026-42998). This impersonation can be chained with trusts to escalate from member to admin, with the resulting trust persisting independently (CVE-2026-43000). Tim Shepherd from roiai.ca reported that application credentials scoped to one project can create EC2 credentials for a different project (CVE-2026-43001). Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry, as each rescope issues a fresh full-TTL token instead of inheriting the original expiry (CVE-2026-44394). Additionally, Artem Goncharov from SysEleven GmbH identified related issues in trust-scoped token handling and policy enforcement during investigation. All Keystone deployments are affected; CVE-2026-44394 only affects SAML2/OIDC deployments.




Patches
~~~~~~~
- https://review.opendev.org/990500 (2025.1/epoxy)
- https://review.opendev.org/990501 (2025.1/epoxy)
- https://review.opendev.org/990502 (2025.1/epoxy)
- https://review.opendev.org/990503 (2025.1/epoxy)
- https://review.opendev.org/990504 (2025.1/epoxy)
- https://review.opendev.org/990495 (2025.2/flamingo)
- https://review.opendev.org/990496 (2025.2/flamingo)
- https://review.opendev.org/990497 (2025.2/flamingo)
- https://review.opendev.org/990498 (2025.2/flamingo)
- https://review.opendev.org/990499 (2025.2/flamingo)
- https://review.opendev.org/990490 (2026.1/gazpacho)
- https://review.opendev.org/990491 (2026.1/gazpacho)
- https://review.opendev.org/990492 (2026.1/gazpacho)
- https://review.opendev.org/990493 (2026.1/gazpacho)
- https://review.opendev.org/990494 (2026.1/gazpacho)
- https://review.opendev.org/990485 (2026.2/hibiscus)
- https://review.opendev.org/990486 (2026.2/hibiscus)
- https://review.opendev.org/990487 (2026.2/hibiscus)
- https://review.opendev.org/990488 (2026.2/hibiscus)
- https://review.opendev.org/990489 (2026.2/hibiscus)


Credits
~~~~~~~
- Boris Bobrov from SAP SE (CVE-2026-42998, CVE-2026-42999, CVE-2026-43000)
- Tim Shepherd from roiai.ca (CVE-2026-43001)

- Erichen from Institute of Computing Technology, Chinese Academy of Sciences (CVE-2026-44394)

- Artem Goncharov from SysEleven GmbH


References
~~~~~~~~~~
- https://launchpad.net/bugs/2148398
- https://launchpad.net/bugs/2148477
- https://launchpad.net/bugs/2149775
- https://launchpad.net/bugs/2149789
- https://launchpad.net/bugs/2150089
- https://launchpad.net/bugs/2150379
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42998
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42999
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43000
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43001
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44394


Notes
~~~~~
- The fix for CVE-2026-42999 modifies the trust policy structure.
  Deployments with customized trust policies may experience issues with
  image upload and Heat service functionality until the custom policy is
  updated.
- CVE-2026-44394 only affects deployments using SAML2 or OIDC
  federation.


--
Goutham Pacha Ravi (gouthamr)
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

OpenPGP_signature.asc
Description: OpenPGP digital signature

[oss-security] [OSSA-2026-015] OpenStack Keystone: Multiple credential delegation and authorization bypass vulnerabilities (CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394)

Reply via email to