CVE-2026-33551

CWE-863Incorrect AuthorizationCWE-2669 documents9 sources
Severity
3.5LOW
EPSS
0.0%
top 94.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Keystone
Timeline
PublishedApr 10
Latest updateApr 13

Description

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that us

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5openstack/keystone14.0.026.1.1+3
PyPIkeystone14.0.026.1.1

🔴Vulnerability Details

4
VulDB
Keystone up to 26.1.0/27.0.0/28.0.0/29.0.0 EC2 Credential Creation Endpoint improper authorization (Nessus ID 305614)2026-04-13
GHSA
GHSA-4phw-6824-6cfp: An issue was discovered in OpenStack Keystone 14 through 26 before 262026-04-10
CVEList
CVE-2026-33551: An issue was discovered in OpenStack Keystone 14 through 26 before 262026-04-10
GHSA
OpenStack Keystone: Restricted application credentials can create EC2 credentials2026-04-10

📋Vendor Advisories

2
Red Hat
openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation2026-04-07
Debian
CVE-2026-33551: keystone2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-33551 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-33551 openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation2026-03-25
CVE-2026-33551 (LOW CVSS 3.5) | An issue was discovered in OpenStac | cvebase.io