CVE-2026-42998

MEDIUM

Openstack Keystone - Incorrect Authorization

Title source: rule

Description

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

References (2)

Core 2

Core References

https://bugs.launchpad.net/keystone/+bug/2148477

https://security.openstack.org/ossa/OSSA-2026-015.html

Scores

CVSS v3 6.0

EPSS 0.0030

EPSS Percentile 21.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

OpenStack/Keystone 14.0.0 - 27.0.2

openstack/keystone 14.0.0 - 27.0.2

OpenStack/Keystone 28.0.0 - 28.0.2

OpenStack/Keystone 29.0.0 - 29.0.2

Published May 28, 2026

Tracked Since May 29, 2026