CVE-2026-40683

CWE-8433 documents3 sources
Severity
7.7HIGH
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Keystone
Timeline
PublishedApr 14

Description

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as ena

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:HExploitability: 1.8 | Impact: 5.3

Affected Packages1 packages

CVEListV5openstack/keystone8.0.025.0.1+3

🔴Vulnerability Details

2
VulDB
OpenStack Keystone up to 25.0.0/26.1.0/27.0.0/28.0.0 Configuration Options _ldap_res_to_model type confusion2026-04-14
CVEList
CVE-2026-40683: In OpenStack Keystone before 282026-04-14
CVE-2026-40683 (HIGH CVSS 7.7) | In OpenStack Keystone before 28.0.1 | cvebase.io