CVE-2026-44394: OpenStack Keystone Federated Token Rescoping Bypass – MEDIUM Severity
OpenStack Keystone, the identity service underlying many cloud deployments, has a flaw in how it handles federated user logins through SAML2 or OpenID Connect. When a user rescopes a token (essentially asking for a new token with different permissions or projects), the system doesn't carry forward the original token's expiration time. Instead, it issues a fresh token with a standard lifetime. An attacker with valid federated credentials can exploit this by repeatedly rescoping their token just before it expires, effectively creating a token that never truly expires. This bypasses the organization's configured token lifetime policies, allowing indefinite access once initial compromise occurs.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in OpenStack Keystone's federated authentication rescoping flow. When a federated identity provider (IdP) user performs token rescoping via POST /v3/auth/tokens, the mapped_auth plugin's handle_scoped_token() function returns response data lacking an expires_at field. The Keystone token provider then defaults to issuing a token with the system's configured default TTL rather than inheriting or calculating a constrained expiry from the original token. An authenticated federated user can invoke this rescoping endpoint repeatedly, resetting their token's lifetime with each call before expiration occurs. This creates an indefinite session lifetime despite operator-configured token expiration policies. The issue is specific to federated authentication flows and does not affect non-federated (native) Keystone users.
Business impact
Organizations running federated identity deployments with OpenStack Keystone face a session persistence risk. A compromised federated account—or an insider with valid federation credentials—can maintain indefinite access to cloud resources without re-authentication or compliance with configured access control periods. In regulated environments with mandatory session timeouts, this directly conflicts with access governance and audit controls. The impact is amplified in multi-tenant cloud environments where federated access often enables contractor, partner, or cross-organization access. Token expiration is a foundational security control; bypass undermines incident response, compliance reporting, and access revocation workflows.
Affected systems
OpenStack Keystone versions prior to 29.0.2 are affected. The vulnerability requires federated identity configuration using SAML2, OpenID Connect, or similar identity provider integrations. Deployments using only native Keystone authentication (local user credentials, LDAP direct binding) are not affected. The scope is limited to environments that have explicitly enabled federated authentication mapping.
Exploitability
Exploitation requires an authenticated federated user account. The CVSS vector (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L) reflects network accessibility, high attack complexity, low privilege requirement, and cross-system impact. Attack complexity is high because the attacker must time token rescopes before expiration and maintain knowledge of the rescoping endpoint. Practical exploitation is straightforward once credentials are compromised: automated token rescoping at regular intervals perpetuates access. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting limited public exploitation to date, but the attack pattern is relatively simple to execute.
Remediation
Upgrade OpenStack Keystone to version 29.0.2 or later. Organizations should prioritize patching systems where federated identity is in active use, particularly in multi-tenant or partner access scenarios. Interim mitigations include reducing the default token TTL to minimize the window for rescope-based persistence attacks, implementing strict API rate-limiting on the /v3/auth/tokens rescoping endpoint, and monitoring for repeated token rescoping from single user accounts. Verify the patch against the official OpenStack release notes and security advisories.
Patch guidance
Apply OpenStack Keystone 29.0.2 or any later version. Review your deployment's release schedule and staging procedures. Test the patch in a non-production federated authentication environment to confirm rescoping behavior and token expiry propagation. After deployment, validate that tokens issued via federated rescoping now correctly carry forward or inherit the original token's expiration constraint. Monitor logs for token rescoping patterns during and after patching to detect any residual anomalies or compatibility issues with IdP configurations.
Detection guidance
Search for repeated POST requests to /v3/auth/tokens rescoping endpoints from the same federated user within short time intervals (e.g., multiple rescopes per minute or every few minutes). Log token creation events and cross-reference token expiry values: a rescoped token should not carry a fresh TTL that extends well beyond the original token's remaining lifetime. Query Keystone audit logs for high-frequency token rescoping by individual federated accounts, particularly before token expiration windows close. Correlate rescoping patterns with actual API access to cloud resources to identify whether indefinite session persistence is being leveraged for sustained unauthorized activity.
Why prioritize this
This is a MEDIUM-severity vulnerability affecting a foundational identity service, but it is not in active exploitation and requires authenticated access. However, prioritization depends on your architecture: if you operate OpenStack with federated identity (especially for partner, contractor, or cross-org access), this should be treated as HIGH priority because token expiration is a core access control and compliance mechanism. Non-federated OpenStack deployments can defer this to standard patch cycles. The variant relationship to CVE-2012-3426 suggests a historical weakness in token expiry propagation; treat this as a persistent design gap requiring careful testing post-patch.
Risk score, explained
The CVSS 3.1 score of 6.0 (MEDIUM) reflects the authentication requirement (PR:L), the network-accessible endpoint, and the ability to impact confidentiality, integrity, and availability across system boundaries (S:C / C:L / I:L / A:L). The high attack complexity factor (AC:H) tempers the score—practical exploitation requires timing and knowledge of the rescoping mechanism. However, the contextual severity in federated deployments is higher: token lifetime bypass is a direct violation of session management controls. Organizations with strict audit or compliance requirements should treat this as functionally higher risk than the numeric score suggests.
Frequently asked questions
Does this affect non-federated OpenStack deployments?
No. This vulnerability is specific to federated authentication flows using identity providers like SAML2 or OpenID Connect. Deployments using only native Keystone users, LDAP direct binding, or local credentials are not affected.
Can we use token TTL reduction as a permanent workaround?
Reducing default token TTL can buy time by shrinking the window for rescope-based persistence, but it is not a fix and increases user friction. Patching to version 29.0.2 or later is the proper remediation. Short TTL alone does not prevent the underlying rescoping bypass.
How does this relate to CVE-2012-3426?
This vulnerability is a variant of the same token expiry propagation weakness discovered in 2012. The rescoping mechanism was reintroduced or persisted without the same expiry controls. This suggests the issue may resurface in future code; ensure your organization's code review practices include token lifecycle verification during refactoring.
What should we look for in logs to detect exploitation?
Monitor Keystone audit logs for federated users making repeated POST requests to /v3/auth/tokens (rescoping endpoint) within short time intervals, especially patterns timed just before token expiry. Cross-check whether the new tokens carry fresh default TTLs instead of inheriting the original token's remaining lifetime. Correlate with resource API calls to confirm the actor is leveraging the indefinite session for sustained access.
This analysis is provided for informational purposes and does not constitute legal, compliance, or formal security advice. CVSS scores and severity ratings are based on the published vulnerability record and may not reflect your organization's specific risk context. Federated deployments with strict compliance requirements should treat this vulnerability as higher priority than the numeric score suggests. Always verify patch availability and compatibility with your specific OpenStack version and configuration before deployment. Test patches in a staging environment with your federated IdP configuration before production rollout. Coordinate patching with your identity provider team to ensure no authentication disruptions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42998MEDIUMOpenStack Keystone Application Credential Authentication Bypass
- CVE-2026-42999MEDIUMOpenStack Keystone RBAC Bypass via JSON Request Body Injection
- CVE-2026-43000MEDIUMOpenStack Keystone Privilege Escalation via Application Credential Impersonation
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals