Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aWkInhuT5D-s-MOh@yuggoth.org>
Date: Thu, 15 Jan 2026 15:32:46 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation
 via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)

====================================================================
OSSA-2026-001: Privilege Escalation via Identity Headers in External
                OAuth2 Tokens
====================================================================

:Date: January 15, 2026
:CVE: CVE-2026-22797

Affects
~~~~~~~
- Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1

Description
~~~~~~~~~~~
Grzegorz Grasza with Red Hat reported a vulnerability in the 
external_oauth2_token middleware for keystonemiddleware. This 
middleware fails to sanitize incoming authentication headers before 
processing OAuth 2.0 tokens. By sending forged identity headers such 
as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated 
attacker may escalate privileges or impersonate other users. All 
deployments using the external_oauth2_token middleware are affected.

Patches
~~~~~~~
- https://review.opendev.org/973499 (2024.1/caracal)
- https://review.opendev.org/973497 (2024.2/dalmatian)
- https://review.opendev.org/973496 (2025.1/epoxy)
- https://review.opendev.org/973495 (2025.2/flamingo)
- https://review.opendev.org/973494 (2026.1/gazpacho)

Credits
~~~~~~~
- Grzegorz Grasza from Red Hat (CVE-2026-22797)

References
~~~~~~~~~~
- https://launchpad.net/bugs/2129018
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797

Notes
~~~~~
- The unmaintained/2024.1 branches will receive no new point releases,
   but patches for them are provided as a courtesy.
- This bug was possible because the middleware only conditionally set
   certain headers (e.g., X-Is-Admin-Project was only set when the token
   had admin privileges), leaving spoofed values intact when conditions
   were not met.
- The fix adds a call to remove_auth_headers() at the start of request
   processing to sanitize all incoming identity headers, matching the
   behavior of the main auth_token middleware.
- The external_oauth2_token middleware was introduced in
   keystonemiddleware 10.0.0.

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.