CVE-2026-40683
published 2026-04-14CVE-2026-40683: In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert…
PriorityP345high7.7CVSS 3.1
AVNACHPRLUINSCCLILAH
EPSS
0.32%
23.4th percentile
In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openstack | keystone | >= 0 < 28.0.1 | 28.0.1 |
| openstack | keystone | >= 26.0.0 < 26.1.1 | 26.1.1 |
| openstack | keystone | >= 27.0.0 < 27.0.1 | 27.0.1 |
| openstack | keystone | >= 28.0.0 < 28.0.1 | 28.0.1 |
| openstack | keystone | >= 8.0.0 < 25.0.1 | 25.0.1 |
| ubuntu | keystone | — | — |
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H
vendor_redhat7.7HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenStack Keystone vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 5.3
CVE-2026-44394 [MEDIUM] OpenStack Keystone vulnerabilities
Title: OpenStack Keystone vulnerabilities
Summary: Several security issues were fixed in OpenStack Keystone.
It was discovered that OpenStack Keystone allowed restricted application
credentials to create EC2 credentials. An authenticated attacker with only
a reader role could possibly use this issue to bypass the role restrictions
imposed on the application credential. (CVE-2026-33551)
It was discovered that the OpenStack Keystone LDAP identity backend did
not correctly convert the user enabled attribute to a boolean value.
An attacker could possibly use this issue to authenticate as a user disabled
in LDAP. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 25.10. (CVE-2026-40683)
It was discovered that OpenStack Keystone's application credential
authentication pl
Red Hat
OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling
vendor_redhat·2026-04-14·CVSS 7.7
CVE-2026-40683 [HIGH] CWE-843 OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling
OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling
A flaw was found in OpenStack Keystone. When using the LDAP identity backend, the system incorrectly processes the user enabled attribute if the user_enabled_invert configuration option is set to False. This error causes users marked as disabled in LDAP to be treated as enabled within Keystone, allowing them to authenticate and perform actions despite their disabled status. This can lead to unauthorized access to resources.
Statement: There's a flaw in OpenStack Keystone's LDAP identity backend allows unauthorized access. When the `user_enabled_invert` configuration option is set to its default of `False`, users marked as disabled in LDAP are incorrectly treated as enabled within Keysto
VulDB
OpenStack Keystone up to 25.0.0/26.1.0/27.0.0/28.0.0 Configuration Options _ldap_res_to_model type confusion
vuldb·2026-04-14·CVSS 7.7
CVE-2026-40683 [HIGH] OpenStack Keystone up to 25.0.0/26.1.0/27.0.0/28.0.0 Configuration Options _ldap_res_to_model type confusion
A vulnerability identified as problematic has been detected in OpenStack Keystone up to 25.0.0/26.1.0/27.0.0/28.0.0. The affected element is the function _ldap_res_to_model of the component Configuration Options Handler. This manipulation causes type confusion.
This vulnerability appears as CVE-2026-40683. The attack may be initiated remotely. There is no available exploit.
You should upgrade the affected component.
GHSA
OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean
ghsa·2026-04-14
CVE-2026-40683 [HIGH] CWE-843 OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean
OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean
In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.
No detection rules found.
No public exploits indexed.
2026-04-14
Published