cbcvebase.
CVE-2026-42998
published 2026-05-28

CVE-2026-42998: An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied…

PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.30%
21.9th percentile
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

Affected

8 ranges
VendorProductVersion rangeFixed in
openstackkeystone>= 14.0.0 < 27.0.227.0.2
openstackkeystone>= 28.0.0 < 28.0.228.0.2
openstackkeystone>= 29.0.0 < 29.0.229.0.2
rhosoopenstack-keystone-rhel9
rhosp-rhel8openstack-keystone
rhosp-rhel9openstack-keystone
rhosp13openstack-keystone
ubuntukeystone

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.