Lucene search
K
OpenstackKeystone28.0.0

6 matches found

CVE
CVE
added 2026/05/28 12:0 a.m.46 views

CVE-2026-44394

CVE-2026-44394 affects OpenStack Keystone before 29.0.2. The federated token rescoping mechanism does not propagate the original token expiry to the newly issued token; repeated rescopes can allow indefinite access by issuing tokens with a fresh TTL, bypassing token lifetime policies. Affected de...

8.1CVSS5.8AI score0.00249EPSS
CVE
CVE
added 2026/04/10 12:0 a.m.39 views

CVE-2026-33551

OpenStack Keystone vulnerability CVE-2026-33551 allows an authenticated user with only a reader role to obtain EC2/S3 credentials via restricted application credentials when using the EC2/S3 compatibility API (swift3/s3api). Affected products/versions: Keystone 14 through 26 before 26.1.1, 27.0.0...

5.3CVSS5.9AI score0.0022EPSS
CVE
CVE
added 2026/05/28 12:0 a.m.37 views

CVE-2026-43000

CVE-2026-43000 affects OpenStack Keystone (identity service). Affected: Keystone before 29.0.2. The issue arises when an impersonation vulnerability in application credentials is chained with Keystone trusts, allowing a user with member role to escalate to admin by delegating the victim's admin r...

8.8CVSS5.8AI score0.00328EPSS
CVE
CVE
added 2026/05/28 12:0 a.m.35 views

CVE-2026-42999

OpenStack Keystone prior to 29.0.2 contains CVE-2026-42999, where the RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary (policy_dict.update(json_input.copy())). Since flask.request.get_json is called with force=True, this ...

8.8CVSS6AI score0.00329EPSS
CVE
CVE
added 2026/05/28 12:0 a.m.30 views

CVE-2026-42998

Summary of CVE-2026-42998 (OpenStack Keystone) : The Keystone application credential authentication plugin fails to verify that the requester owns the credential, allowing an attacker to authenticate with their own application credential and specify another user in the request. The resulting toke...

8.8CVSS5.8AI score0.00303EPSS
CVE
CVE
added 2026/05/01 12:0 a.m.18 views

CVE-2026-43001

CVE-2026-43001 affects OpenStack Keystone (versions 13–29) where POST /v3/credentials does not validate that the caller-supplied project_id for an EC2-type credential matches the authenticating application credential’s project. An attacker with an unrestricted app_cred for project A can create an...

8CVSS5.8AI score0.00446EPSS
Web