cbcvebase.
CVE-2026-44394
published 2026-05-28

CVE-2026-44394: An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to…

PriorityP350high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.25%
16.1th percentile
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.

Affected

8 ranges
VendorProductVersion rangeFixed in
openstackkeystone>= 14.0.0 < 27.0.227.0.2
openstackkeystone>= 28.0.0 < 28.0.228.0.2
openstackkeystone>= 29.0.0 < 29.0.229.0.2
rhosoopenstack-keystone-rhel9
rhosp-rhel8openstack-keystone
rhosp-rhel9openstack-keystone
rhosp13openstack-keystone
ubuntukeystone

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_redhat8.1HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.