Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <eda670ae-ab8d-470c-a2cb-b98fb3e86475@gmail.com>
Date: Thu, 28 May 2026 09:38:01 -0700
From: Goutham Pacha Ravi <gouthampravi@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2026-015] OpenStack Keystone: Multiple credential delegation
 and authorization bypass vulnerabilities (CVE-2026-42998, CVE-2026-42999,
 CVE-2026-43000, CVE-2026-43001, CVE-2026-44394)

==================================================================================================
OSSA-2026-015: Multiple credential delegation and authorization bypass 
vulnerabilities in Keystone
==================================================================================================

:Date: May 28, 2026
:CVE: CVE-2026-42998,
       CVE-2026-42999,
       CVE-2026-43000,
       CVE-2026-43001,
       CVE-2026-44394


Affects
~~~~~~~
- Keystone: >=14.0.0 <27.0.2, >=28.0.0 <28.0.2, >=29.0.0 <29.0.2


Description
~~~~~~~~~~~
Boris Bobrov from SAP SE reported that an authenticated attacker can 
inject RBAC policy targets via the JSON request body, bypassing 
authorization on any policy-protected endpoint to read credential 
secrets, create credentials for arbitrary users, and escalate to cloud 
admin (CVE-2026-42999). Application credential authentication does not 
verify the caller owns the credential, enabling user impersonation 
within a shared project (CVE-2026-42998). This impersonation can be 
chained with trusts to escalate from member to admin, with the resulting 
trust persisting independently (CVE-2026-43000). Tim Shepherd from 
roiai.ca reported that application credentials scoped to one project can 
create EC2 credentials for a different project (CVE-2026-43001). Erichen 
from the Institute of Computing Technology, Chinese Academy of Sciences 
reported that federated users can maintain access indefinitely by 
repeatedly rescoping tokens before expiry, as each rescope issues a 
fresh full-TTL token instead of inheriting the original expiry 
(CVE-2026-44394). Additionally, Artem Goncharov from SysEleven GmbH 
identified related issues in trust-scoped token handling and policy 
enforcement during investigation. All Keystone deployments are affected; 
CVE-2026-44394 only affects SAML2/OIDC deployments.



Patches
~~~~~~~
- https://review.opendev.org/990500 (2025.1/epoxy)
- https://review.opendev.org/990501 (2025.1/epoxy)
- https://review.opendev.org/990502 (2025.1/epoxy)
- https://review.opendev.org/990503 (2025.1/epoxy)
- https://review.opendev.org/990504 (2025.1/epoxy)
- https://review.opendev.org/990495 (2025.2/flamingo)
- https://review.opendev.org/990496 (2025.2/flamingo)
- https://review.opendev.org/990497 (2025.2/flamingo)
- https://review.opendev.org/990498 (2025.2/flamingo)
- https://review.opendev.org/990499 (2025.2/flamingo)
- https://review.opendev.org/990490 (2026.1/gazpacho)
- https://review.opendev.org/990491 (2026.1/gazpacho)
- https://review.opendev.org/990492 (2026.1/gazpacho)
- https://review.opendev.org/990493 (2026.1/gazpacho)
- https://review.opendev.org/990494 (2026.1/gazpacho)
- https://review.opendev.org/990485 (2026.2/hibiscus)
- https://review.opendev.org/990486 (2026.2/hibiscus)
- https://review.opendev.org/990487 (2026.2/hibiscus)
- https://review.opendev.org/990488 (2026.2/hibiscus)
- https://review.opendev.org/990489 (2026.2/hibiscus)


Credits
~~~~~~~
- Boris Bobrov from SAP SE (CVE-2026-42998, CVE-2026-42999, CVE-2026-43000)
- Tim Shepherd from roiai.ca (CVE-2026-43001)
- Erichen from Institute of Computing Technology, Chinese Academy of 
Sciences (CVE-2026-44394)
- Artem Goncharov from SysEleven GmbH


References
~~~~~~~~~~
- https://launchpad.net/bugs/2148398
- https://launchpad.net/bugs/2148477
- https://launchpad.net/bugs/2149775
- https://launchpad.net/bugs/2149789
- https://launchpad.net/bugs/2150089
- https://launchpad.net/bugs/2150379
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42998
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42999
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43000
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43001
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44394


Notes
~~~~~
- The fix for CVE-2026-42999 modifies the trust policy structure.
   Deployments with customized trust policies may experience issues with
   image upload and Heat service functionality until the custom policy is
   updated.
- CVE-2026-44394 only affects deployments using SAML2 or OIDC
   federation.


--
Goutham Pacha Ravi (gouthamr)
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Download attachment "OpenPGP_0x0638DAD3B82C3988.asc" of type "application/pgp-keys" (3241 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.