By vendor

Openstack vulnerabilities

Known CVEs affecting Openstack products, prioritized by severity, with SEC.co remediation and detection guidance.

4 published vulnerabilities

  • CVE-2026-42998MEDIUM 6.0

    OpenStack Keystone contains an authentication bypass vulnerability in its application credential system. An attacker with valid credentials can request a token while impersonating another user by manipulating the user identity in the authentication request. Keystone fails to validate that the requesting user owns the application credential being used, allowing the attacker to obtain a token attributed to a victim account. The token grants access only to projects shared between the attacker and victim, and only with roles that overlap between both users' permissions, but this is still sufficient for account takeover scenarios and audit trail manipulation.

  • CVE-2026-42999MEDIUM 6.0

    OpenStack Keystone contains a critical authorization bypass vulnerability that allows any authenticated user to escalate their privileges and access resources belonging to other users or projects. The vulnerability stems from a flaw in how Keystone processes policy enforcement—it blindly merges user-supplied JSON request data into the authorization check dictionary, overwriting the trusted database-sourced security context. This means an attacker can simply inject fake user IDs or project IDs into their API request to trick the system into granting them permissions they shouldn't have. The issue affects all versions before 29.0.2 and has existed since Rocky (14.0.0).

  • CVE-2026-43000MEDIUM 6.0

    An authenticated attacker with basic member-level permissions on an OpenStack Keystone project can escalate their privileges to administrator by chaining two Keystone features—application credentials and trusts—in an unintended way. The attack exploits a validation gap: when an impersonated token is created, Keystone checks the victim's stored admin role assignment in the database rather than validating against the actual permissions on the requesting token. This allows the attacker to create a trust that delegates the victim's admin privileges to themselves. The resulting admin access persists independently and can be maintained through additional credential chains, while all actions appear in audit logs under the victim's identity.

  • CVE-2026-44394MEDIUM 6.0

    OpenStack Keystone, the identity service underlying many cloud deployments, has a flaw in how it handles federated user logins through SAML2 or OpenID Connect. When a user rescopes a token (essentially asking for a new token with different permissions or projects), the system doesn't carry forward the original token's expiration time. Instead, it issues a fresh token with a standard lifetime. An attacker with valid federated credentials can exploit this by repeatedly rescoping their token just before it expires, effectively creating a token that never truly expires. This bypasses the organization's configured token lifetime policies, allowing indefinite access once initial compromise occurs.