CVE-2026-42998: OpenStack Keystone Application Credential Authentication Bypass
OpenStack Keystone contains an authentication bypass vulnerability in its application credential system. An attacker with valid credentials can request a token while impersonating another user by manipulating the user identity in the authentication request. Keystone fails to validate that the requesting user owns the application credential being used, allowing the attacker to obtain a token attributed to a victim account. The token grants access only to projects shared between the attacker and victim, and only with roles that overlap between both users' permissions, but this is still sufficient for account takeover scenarios and audit trail manipulation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42998 exploits insufficient authorization checks in Keystone's application credential authentication flow. When a user authenticates using an application credential (ID and secret), Keystone does not verify that the requesting principal owns that credential. An attacker can supply their own application credential's ID and secret, then specify an arbitrary victim's username and domain in the request body. Keystone incorrectly issues a token scoped to the victim's account. The resulting token's role set is the intersection of the application credential's roles and the victim's project roles, which limits but does not prevent abuse. The vulnerability is classified as CWE-863 (Improper Authorization) and affects versions before 29.0.2.
Business impact
This vulnerability creates identity confusion at the authentication layer, enabling attackers to evade audit controls and access victim data or perform actions as another user within shared project boundaries. In multi-tenant environments where application credentials are used for service-to-service or programmatic access, an internal actor or compromised service account could impersonate legitimate users, read their credentials, modify shared resources, or perform actions that appear in audit logs under the victim's identity. The impact is particularly severe in organizations relying on audit trails for compliance or incident investigation, as the attacker's activities would be attributed to the victim.
Affected systems
OpenStack Keystone deployments running versions prior to 29.0.2 are affected. Keystone is the identity service component in OpenStack clouds, so any OpenStack installation using a vulnerable version is at risk. The vulnerability is most exploitable in environments where application credentials are widely distributed or used by multiple services, and where users share projects. Deployments using only personal user credentials (and not application credentials for authentication) have reduced exposure but are still technically vulnerable if any application credential is present.
Exploitability
The vulnerability requires an attacker to already possess a valid application credential (ID and secret). This means the threat is primarily from internal actors, compromised service accounts, or scenarios where application credentials have been leaked. The attacker does not need special privileges—any authenticated user with an application credential can attempt impersonation. No user interaction is required, and the attack is remotely exploitable over the network. However, the attacker can only impersonate users within projects they already have access to, and the resulting token's permissions are constrained by role intersection. The attack is straightforward once a credential is obtained, making it a high-probability exploit path for insiders or compromised accounts.
Remediation
Upgrade OpenStack Keystone to version 29.0.2 or later. This patch adds proper ownership validation to the application credential authentication flow, ensuring that only the credential's owner can authenticate using that credential. Organizations should prioritize this upgrade for Keystone services that support multi-user or multi-tenant access patterns. Verify the patch level against your vendor advisory before deployment. Additionally, review application credential usage policies: limit the number of application credentials issued, enforce credential rotation schedules, and implement network segmentation to reduce the blast radius of a compromised credential.
Patch guidance
Apply the Keystone 29.0.2 update or later as soon as feasible. Verify compatibility with your OpenStack distribution and other dependent services before deploying to production. The patch should be applied to all Keystone instances in your deployment, including redundant or load-balanced configurations. Test the upgrade in a staging environment to confirm that existing application credential workflows continue to function. After patching, conduct a review of recent authentication logs to identify any suspicious impersonation attempts that may have occurred prior to the fix.
Detection guidance
Monitor Keystone authentication logs for anomalies: look for successful token issuance events where the authenticated user differs from the requesting client's expected identity, particularly when application credentials are involved. Search for patterns where a single application credential is used to obtain tokens for multiple distinct user identities, especially across different projects or domains. Review audit trails for actions attributed to users that do not align with their typical behavior or access patterns. Enable detailed logging in Keystone if not already active, and correlate authentication events with subsequent API calls to identify impersonation chains. Examine application credential usage: identify which services or users hold credentials, and cross-reference with unexpected authentication patterns.
Why prioritize this
This vulnerability merits prompt attention because it directly undermines authentication integrity in identity systems. Although the CVSS score is moderate (6.0), the nature of the flaw—identity spoofing with audit trail poisoning—has disproportionate business and compliance impact. The fix is available and straightforward to deploy. Organizations in regulated industries or with strict audit requirements should treat this as high-priority. The vulnerability is not yet in the CISA KEV catalog, but its functional severity warrants defensive action regardless.
Risk score, explained
The CVSS 3.1 score of 6.0 (MEDIUM) reflects the requirement that an attacker must already possess a valid application credential, reducing the attack surface compared to unauthenticated exploits. However, the scope is marked as changed because the attack crosses trust boundaries—the attacker impersonates another user—and the impact touches confidentiality (reading victim credentials), integrity (acting as the victim), and availability (audit log integrity). The score does not fully capture the compliance and audit trail implications, which may justify a higher organizational risk rating despite the moderate CVE score.
Frequently asked questions
Can an attacker exploit this without having an application credential first?
No. The attacker must possess a valid application credential ID and secret. This limits the threat to scenarios involving compromised service accounts, leaked credentials, or malicious insiders. However, once any application credential is obtained, the attacker can impersonate other users, making credential hygiene and access controls critical.
What is the difference between the attacker's permissions and the victim's permissions in an impersonation attack?
The resulting token's role set is the intersection of the attacker's application credential roles and the victim's actual roles on the target project. For example, if the credential grants 'reader' and 'admin' roles, but the victim only has 'reader' on the project, the impersonated token will have only 'reader'. This constrains but does not eliminate the attack.
Does this vulnerability affect non-application credential authentication (e.g., username/password)?
No. The vulnerability is specific to the application credential authentication plugin. Traditional user credential flows and other authentication methods are not affected by this flaw. However, if an attacker compromises an application credential, they gain the ability to impersonate users regardless of how other users authenticate.
How should we detect if we've been exploited by this vulnerability?
Review Keystone authentication logs for token issuance events where the requesting application credential's owner does not match the token's attributed user. Look for a single application credential obtaining tokens for multiple users or projects. Correlate authentication anomalies with subsequent API activity. Enable detailed Keystone audit logging if not already active, and conduct a forensic review of recent user activities for actions inconsistent with normal behavior patterns.
This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should validate all findings against their specific environment, vendor advisories, and internal policies before taking action. SEC.co does not provide guarantees regarding exploit availability, attack prevalence, or remediation effectiveness. Always test patches in a non-production environment first. Consult your vendor's official advisory for the most current guidance and compatibility information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42999MEDIUMOpenStack Keystone RBAC Bypass via JSON Request Body Injection
- CVE-2026-43000MEDIUMOpenStack Keystone Privilege Escalation via Application Credential Impersonation
- CVE-2026-44394MEDIUMOpenStack Keystone Federated Token Rescoping Bypass – MEDIUM Severity
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals