OpenStack Keystone has an Incorrect Authorization Issue

GHSA-hhq2-3832-xxcv · CVE-2026-43001

Published May 1, 2026 · Modified Jun 9, 2026

Description

An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-43001
WEB https://bugs.launchpad.net/keystone/+bug/2149775
PACKAGE https://review.opendev.org/c/openstack/keystone
WEB https://review.opendev.org/c/openstack/keystone/+/985804
WEB https://security.openstack.org/ossa/OSSA-2026-015.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes