CVE-2026-44394
published 2026-05-28CVE-2026-44394: An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to…
PriorityP350high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.25%
16.1th percentile
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openstack | keystone | >= 14.0.0 < 27.0.2 | 27.0.2 |
| openstack | keystone | >= 28.0.0 < 28.0.2 | 28.0.2 |
| openstack | keystone | >= 29.0.0 < 29.0.2 | 29.0.2 |
| rhoso | openstack-keystone-rhel9 | — | — |
| rhosp-rhel8 | openstack-keystone | — | — |
| rhosp-rhel9 | openstack-keystone | — | — |
| rhosp13 | openstack-keystone | — | — |
| ubuntu | keystone | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_redhat8.1HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-whqr-fgm5-x77q: An issue was discovered in OpenStack Keystone before 29
ghsa_unreviewed·2026-05-28·CVSS 4.9
CVE-2026-44394 [MEDIUM] CWE-863 GHSA-whqr-fgm5-x77q: An issue was discovered in OpenStack Keystone before 29
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
VulDB
OpenStack Keystone up to 27.0.1/28.0.1/29.0.1 Authentication Plugin /v3/auth/tokens handle_scoped_token expires_at authorization
vuldb·2026-05-28·CVSS 6.0
CVE-2026-44394 [MEDIUM] OpenStack Keystone up to 27.0.1/28.0.1/29.0.1 Authentication Plugin /v3/auth/tokens handle_scoped_token expires_at authorization
A vulnerability categorized as problematic has been discovered in OpenStack Keystone up to 27.0.1/28.0.1/29.0.1. This vulnerability affects the function handle_scoped_token of the file /v3/auth/tokens of the component Authentication Plugin Handler. The manipulation of the argument expires_at results in incorrect authorization.
This vulnerability is cataloged as CVE-2026-44394. The attack may be launched remotely. There is no exploit available.
It is advisable to upgrade the affected component.
Ubuntu
OpenStack Keystone vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 5.3
CVE-2026-44394 [MEDIUM] OpenStack Keystone vulnerabilities
Title: OpenStack Keystone vulnerabilities
Summary: Several security issues were fixed in OpenStack Keystone.
It was discovered that OpenStack Keystone allowed restricted application
credentials to create EC2 credentials. An authenticated attacker with only
a reader role could possibly use this issue to bypass the role restrictions
imposed on the application credential. (CVE-2026-33551)
It was discovered that the OpenStack Keystone LDAP identity backend did
not correctly convert the user enabled attribute to a boolean value.
An attacker could possibly use this issue to authenticate as a user disabled
in LDAP. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 25.10. (CVE-2026-40683)
It was discovered that OpenStack Keystone's application credential
authentication pl
Red Hat
openstack-keystone: OpenStack Keystone: Federated token rescoping allows indefinite access
vendor_redhat·2026-05-28·CVSS 8.1
CVE-2026-44394 [HIGH] CWE-613 openstack-keystone: OpenStack Keystone: Federated token rescoping allows indefinite access
openstack-keystone: OpenStack Keystone: Federated token rescoping allows indefinite access
A flaw was found in OpenStack Keystone. The federated token rescoping mechanism does not correctly propagate the original token's expiry to newly issued tokens. This allows a federated user to repeatedly rescope a token before it expires, effectively maintaining indefinite access and bypassing configured token lifetime policies. This vulnerability can lead to unauthorized persistent access to resources.
Statement: This MODERATE token lifetime bypass in Keystone affects federated identity deployments (SAML2, OIDC). Authenticated users can maintain indefinite access by repeatedly rescoping tokens before expiry. High complexity reflects the federated identity requirement. Impact is low confidentiality
No detection rules found.
No public exploits indexed.
2026-05-28
Published