CVE-2026-43001
published 2026-05-01CVE-2026-43001: An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type…
PriorityP341high8CVSS 3.1
AVNACHPRHUINSCCHIHAH
EPSS
0.45%
35.6th percentile
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openstack | keystone | 13.0.0 – 29.0.1 | — |
| openstack | keystone | >= 14.0.0 < 27.0.2 | 27.0.2 |
| openstack | keystone | >= 28.0.0 < 28.0.2 | 28.0.2 |
| openstack | keystone | >= 29.0.0 < 29.0.2 | 29.0.2 |
| rhoso | openstack-keystone-rhel9 | — | — |
| rhosp-rhel8 | openstack-keystone | — | — |
| rhosp-rhel9 | openstack-keystone | — | — |
| rhosp13 | openstack-keystone | — | — |
| ubuntu | keystone | — | — |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vendor_redhat8.5HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenStack Keystone vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 5.3
CVE-2026-44394 [MEDIUM] OpenStack Keystone vulnerabilities
Title: OpenStack Keystone vulnerabilities
Summary: Several security issues were fixed in OpenStack Keystone.
It was discovered that OpenStack Keystone allowed restricted application
credentials to create EC2 credentials. An authenticated attacker with only
a reader role could possibly use this issue to bypass the role restrictions
imposed on the application credential. (CVE-2026-33551)
It was discovered that the OpenStack Keystone LDAP identity backend did
not correctly convert the user enabled attribute to a boolean value.
An attacker could possibly use this issue to authenticate as a user disabled
in LDAP. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 25.10. (CVE-2026-40683)
It was discovered that OpenStack Keystone's application credential
authentication pl
Red Hat
OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation
vendor_redhat·2026-05-01·CVSS 8.5
CVE-2026-43001 [HIGH] CWE-1288 OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation
OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation
A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied project_id for an EC2-type credential was not validated against the project of the authenticating application credential. This allows the attacker to create an EC2 credential targeting a different project. Subsequently, a /v3/ec2tokens exchange would issue a Keystone token scoped to the targeted project, enabling unauthorized cross-project access and lateral movement within the credential owner's role footprint.
Statement: This flaw in OpenStack Keystone allows an attacker
VulDB
OpenStack Keystone up to 29 /v3/credentials project_id authorization
vuldb·2026-06-01·CVSS 8.5
CVE-2026-43001 [HIGH] OpenStack Keystone up to 29 /v3/credentials project_id authorization
A vulnerability was found in OpenStack Keystone up to 29. It has been declared as problematic. This impacts an unknown function of the file /v3/credentials. The manipulation of the argument project_id results in incorrect authorization.
This vulnerability is cataloged as CVE-2026-43001. The attack may be launched remotely. There is no exploit available.
GHSA
OpenStack Keystone has an Incorrect Authorization Issue
ghsa·2026-05-01
CVE-2026-43001 [HIGH] CWE-863 OpenStack Keystone has an Incorrect Authorization Issue
OpenStack Keystone has an Incorrect Authorization Issue
An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
GHSA
GHSA-hhq2-3832-xxcv: An issue was discovered in OpenStack Keystone 13 through 29
ghsa_unreviewed·2026-05-01
CVE-2026-43001 [HIGH] CWE-863 GHSA-hhq2-3832-xxcv: An issue was discovered in OpenStack Keystone 13 through 29
An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
No detection rules found.
No public exploits indexed.
https://bugs.launchpad.net/keystone/+bug/2149775https://review.opendev.org/c/openstack/keystone/+/985804https://security.openstack.org/ossa/OSSA-2026-015.htmlhttps://access.redhat.com/security/cve/CVE-2026-43001https://bugzilla.redhat.com/show_bug.cgi?id=2464305https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43001.json
2026-05-01
Published