CVE-2013-2255

OpenStack CVE-2013-2255 affects HTTPSConnections in Keystone (2013) and OpenStack Compute (2013.1), and possibly other OpenStack components. Root cause: server-side SSL certificate validation is not performed, allowing potential impersonation or man-in-the-middle scenarios where untrusted certifi...

CVE-2020-12690

CVE-2020-12690 affects OpenStack Keystone before 15.0.1 and 16.0.0, where the list of roles for an OAuth1 access token is silently ignored. As a result, the keystone token may include every role the token creator has for the project, yielding elevated permissions not intended. Affected product/ve...

CVE-2021-38155

CVE-2021-38155 affects OpenStack Keystone 10.x–19.x; an unauthenticated actor can confirm account existence and retrieve the account UUID by guessing the account name and triggering repeated failed authentications, when security_compliance.lockout_failure_attempts is enabled. Connected advisories...

CVE-2021-3563

CVE-2021-3563 affects OpenStack Keystone. The issue stems from keystone only validating the first 72 characters of an application secret, enabling bypass of some password complexity checks and affecting confidentiality and integrity. The vulnerability is listed across multiple advisories (e.g., D...

CVE-2022-2447

CVE-2022-2447 affects OpenStack Keystone. A time lag (up to one hour) between policy revocation and actual revocation could let a remote administrator maintain access longer than expected. Related advisories (e.g., Ubuntu USN-7926-1) reference this CVE and indicate that updates are available; app...

CVE-2020-12689

OpenStack Keystone vulnerability CVE-2020-12689 affects Keystone before 15.0.1 and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with escalated permissions, potentially allowing the user to act as admin on a project where a...

CVE-2020-12691

CVE-2020-12691 : In OpenStack Keystone before 15.0.1 and 16.0.0, any authenticated user can create an EC2 credential for themselves within a project where they hold a role, then update the credential’s user/project, enabling them to masquerade as another user and potentially gain admin privileges...

CVE-2020-12692

OpenStack Keystone (CVE-2020-12692) is affected in versions prior to 15.0.1 and 16.0.0. The EC2 API does not perform a signature TTL check for AWS Signature V4, allowing an attacker who can sniff an Authorization header to reuse it to reissue an OpenStack token an unlimited number of times. Multi...

CVE-2018-14432

Summary of CVE-2018-14432 (OpenStack Keystone federation) : An authenticated GET to /v3/OS-FEDERATION/projects could bypass access controls and disclose all projects and their attributes when Keystone’s /v3/OS-FEDERATION endpoint is enabled via policy.json. Affected releases include OpenStack Key...

CVE-2014-3621

CVE-2014-3621 affects OpenStack Keystone (identity service). The issue is a catalog URL replacement in Keystone that, when processing endpoints, can disclose sensitive configuration by crafting the publicurl field (demonstrated via $(admin_token)). Affected releases include Keystone before 2013.2...

CVE-2013-4222

CVE-2013-4222 affects OpenStack Keystone (Folsom, Grizzly 2013.1.3 and earlier, Havana before havana-3). The vulnerability arises because Keystone does not properly revoke user tokens when a tenant is disabled, allowing remote authenticated users to continue accessing resources via their tokens. ...

CVE-2014-5251

The CVE describes a vulnerability in the OpenStack Keystone MySQL token driver: versions of OpenStack Identity (Keystone) 2014.1.x prior to 2014.1.2.1 and the Juno series prior to Juno-3 store timestamps with incorrect precision. This causes the token expiration check to fail, allowing remote aut...

CVE-2013-2006

OpenStack Keystone (Grizzly 2013.1.1) is affected by CVE-2013-2006: when DEBUG logging is enabled, Keystone can write admin_token and LDAP password in plaintext to log files, enabling local disclosure of sensitive data. The issue is documented in related advisories (RHSA-2013:0806; GHSA-RXRM-XVP4...

CVE-2012-3426

OpenStack Keystone before version 2012.1.1 (as used in Folsom before Folsom-1 and Essex) does not properly enforce token expiration, allowing remote authenticated users to bypass authorization by: (1) chaining tokens to create new ones, (2) using a token from a disabled account, or (3) using a to...

CVE-2013-0270

OpenStack Keystone CVE-2013-0270 affects Grizzly before 2013.1 (Folsom and possibly earlier). The vulnerability allows remote attackers to trigger a denial of service by sending a large HTTP request, demonstrated by an oversized tenant_name during token requests. Supported sources across multiple...

CVE-2013-2157

CVE-2013-2157 affects OpenStack Keystone (Folsom/Grizzly before 2013.1.3 and Havana) where LDAP authentication with anonymous binds allows a remote attacker to bypass authentication using an empty password. Connected sources confirm remediation via OpenStack/Keystone upgrades or patches (e.g., up...

CVE-2014-5252

CVE-2014-5252 affects OpenStack Keystone. The V3 API in 2014.1.x (before 2014.1.2.1) and Juno (before Juno-3) mishandles issued_at for UUID v2 tokens, allowing remote authenticated users to bypass expiration by reusing tokens via GET or HEAD to /v3/auth/tokens/. Mitigation: upgrade Keystone to th...

CVE-2013-4294

OpenStack Keystone (Identity) on Folsom 2012.2.x and Grizzly up to 2013.1.3/pre-2013.1.4 is affected where the memcache and KVS token back ends do not properly compare the PKI token revocation list with PKI tokens, allowing revoked tokens to bypass access controls. Red Hat advisory RHSA-2013:1285...

CVE-2019-19687

OpenStack Keystone CVE-2019-19687 affects Keystone 15.0.0 and 16.0.0. The /v3/credentials API can leak credentials when enforce_scope is false, enabling a user with a project role to list/view other users’ credentials (potentially exposing sign-on data such as TOTP). Affected deployments are thos...

CVE-2013-6391

Summary (CVE-2013-6391) OpenStack Keystone’s ec2token API could generate a token not scoped to a specific trust when converting a trust-scoped token, allowing remote trust users to obtain EC2 credentials and potentially elevate privileges. Affected releases include Keystone before Havana 2013.2.1...

CVE-2014-3476

CVE-2014-3476 affects the OpenStack Keystone (Identity) service. The vulnerability arises from improper handling of chained delegation, where a trustee could use a trust or impersonation-enabled OAuth token to create a new token with additional roles, enabling remote authenticated privilege escal...

CVE-2012-4413

CVE-2012-4413 affects OpenStack Keystone before 2012.1.3. The vulnerability occurs because Keystone does not invalidate existing tokens when roles are granted or revoked, allowing remote authenticated users to retain privileges associated with revoked roles. The issue has been acknowledged in mul...

CVE-2013-2059

OpenStack Keystone vulnerability CVE-2013-2059 affects Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana. The root cause is that authentication tokens are not immediately revoked when deleting a user via the Keystone v2 API, allowing remote authenticated users to retain access via ...

CVE-2013-0247

CVE-2013-0247 affects OpenStack Keystone: Essex 2012.1.3 and earlier; Folsom 2012.2.3 and earlier; Grizzly grizzly-2 and earlier. Root cause is excessive token-validation attempts generating many log entries, leading to disk usage and partial availability impact. Patches exist via OpenStack keyst...

CVE-2014-3520

CVE-2014-3520 affects OpenStack Identity (Keystone) where, in V2 API trust handling, a remote authenticated trustee can gain access to an unauthorized project by supplying the project ID in a trust token request. Affected versions include Keystone before 2013.2.4, 2014.x before 2014.1.2, and Juno...

CVE-2013-0282

CVE-2013-0282 affects OpenStack Keystone (Grizzly 2013.1, Folsom 2012.1.3, Essex). The root cause is that EC2-style authentication did not properly verify that the (1) user, (2) tenant, or (3) domain is enabled, enabling context-dependent attackers to bypass access restrictions. Public documents ...

CVE-2012-4456

CVE-2012-4456 affects OpenStack Keystone: the OS-KSADM/services and tenant APIs in Keystone Essex before 2012.1.2 and Folsom before folsom-2 fail to validate X-Auth-Token, allowing remote attackers to read the roles for an arbitrary user or to get, create, or delete arbitrary services. This is do...

CVE-2014-2828

CVE-2014-2828 affects OpenStack Keystone (V3 API) where an attacker can trigger a denial of service by sending many requests using the same authentication method. The vulnerability exists in Keystone 2013.1 before 2013.2.4 and in Icehouse before icehouse-rc2. Public advisories from Red Hat, IBM, ...

CVE-2012-5483

CVE-2012-5483 affects OpenStack Keystone 2012.1.3 where /etc/keystone/ec2rc is world-readable when EC2 access is configured, allowing local users to read admin access and secret values and potentially access EC2 services. Root cause: insecure file permissions on ec2rc. Impact: local privilege/cre...

CVE-2014-2237

CVE-2014-2237 concerns the memcache token backend of OpenStack Keystone. When issuing a trust token with impersonation enabled, the trustee’s token-index-list is not updated, so bulk token revocation cannot invalidate the token, allowing bypass of access controls. Affected: Keystone releases from...

CVE-2015-7546

CVE-2015-7546 affects OpenStack Keystone and related keystonemiddleware: the identity service fails to invalidate authorization tokens when using PKI or PKIZ providers, enabling remote authenticated users to bypass access controls by manipulating bytes in a revoked token. Affected versions includ...

CVE-2012-1572

OpenStack Keystone is affected by CVE-2012-1572: extremely long passwords can exhaust Keystone’s stack space and crash the service. The connected sources confirm this behavior but do not provide a specific remediation or patched version in the supplied documents.

CVE-2012-4457

OpenStack Keystone (Essex) before 2012.1.2 and (Folsom) before folsom-3 has a flaw in token authorization for disabled tenants, enabling remote authenticated users to obtain a token for a disabled tenant and access its resources. Root cause: improper handling of authorization tokens for disabled ...

CVE-2013-2014

OpenStack Identity (Keystone) prior to version 2013.1 is affected. The issue allows remote attackers to cause a denial of service by sending multiple long requests, leading to memory consumption and a crash. This is the stated impact in the CVE description. Remediation suggested in the related en...

CVE-2014-5253

CVE-2014-5253 affects OpenStack Keystone (2014.1.x before 2014.1.2.1 and Juno before Juno-3). The issue is that domain invalidation does not properly revoke tokens, allowing remote authenticated users to retain access via a domain-scoped token for that domain. Connected sources (e.g., GHSA-77W8-Q...

CVE-2015-3646

CVE-2015-3646 affects OpenStack Keystone: the backend_argument option content could be logged in Keystone logs, enabling remote authenticated users to obtain passwords and other sensitive backend data. Publicly documented affected ranges: Keystone before 2014.1.5 and 2014.2.x before 2014.2.4. The...

CVE-2018-20170

OpenStack Keystone up to 14.0.1 is affected by a user enumeration vulnerability where invalid usernames yield faster responses than valid ones for POST /v3/auth/tokens. The root cause is a timing discrepancy in authentication processing. The vendor characterizes this as a hardening opportunity, n...

CVE-2014-0204

The CVE-2014-0204 issue affects OpenStack Keystone where a role assigned to a group sharing the same ID as a user can allow remote authenticated users to gain privileges tied to that group ID. Context from connected documents confirms this is rooted in Keystone before 2014.1.1, causing privilege ...

CVE-2026-33551

OpenStack Keystone vulnerability CVE-2026-33551 allows an authenticated user with only a reader role to obtain EC2/S3 credentials via restricted application credentials when using the EC2/S3 compatibility API (swift3/s3api). Affected products/versions: Keystone 14 through 26 before 26.1.1, 27.0.0...

CVE-2026-43000

CVE-2026-43000 affects OpenStack Keystone (identity service). Affected: Keystone before 29.0.2. The issue arises when an impersonation vulnerability in application credentials is chained with Keystone trusts, allowing a user with member role to escalate to admin by delegating the victim's admin r...

CVE-2026-42999

OpenStack Keystone prior to 29.0.2 contains CVE-2026-42999, where the RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary (policy_dict.update(json_input.copy())). Since flask.request.get_json is called with force=True, this ...

CVE-2026-44394

CVE-2026-44394 affects OpenStack Keystone before 29.0.2. The federated token rescoping mechanism does not propagate the original token expiry to the newly issued token; repeated rescopes can allow indefinite access by issuing tokens with a fresh TTL, bypassing token lifetime policies. Affected de...

CVE-2026-42998

Summary of CVE-2026-42998 (OpenStack Keystone) : The Keystone application credential authentication plugin fails to verify that the requester owns the credential, allowing an attacker to authenticate with their own application credential and specify another user in the request. The resulting toke...

CVE-2026-43001

CVE-2026-43001 affects OpenStack Keystone (versions 13–29) where POST /v3/credentials does not validate that the caller-supplied project_id for an EC2-type credential matches the authenticating application credential’s project. An attacker with an unrestricted app_cred for project A can create an...