Skip to main content

Multiple Keystone vulnerabilities affecting credential delegation and authorization (OSSA-2026-015)

· 4 min read
Kurt Garloff
Kurt Garloff
CEO @ S7n Cloud Services, former CTO @ SCS

The vulnerabilities

A series of five related vulnerabilities has been identified in OpenStack Keystone that impact how credentials are delegated and how authorization policies are enforced. These vulnerabilities allow authenticated attackers to bypass security boundaries, impersonate users, and potentially escalate privileges to cloud administrator.

The core issues are:

  • RBAC Policy Bypass (CVE-2026-42999): An attacker can inject RBAC policy targets via a JSON request body, allowing them to bypass authorization on protected endpoints. This can lead to the reading of credential secrets and escalation to cloud admin.

  • Application Credential Impersonation (CVE-2026-42998 & CVE-2026-43000): Keystone failed to verify if the caller owned the Application Credential being used. This allows for user impersonation within a project, which can be chained with "trust" operations to escalate privileges from a project member to an administrator.

  • Cross-Project EC2 Credentials (CVE-2026-43001): Application credentials scoped to one project could be used to create EC2-style credentials for a i different project, enabling lateral movement across tenant boundaries.

  • Federated Token Rescoping (CVE-2026-44394): In SAML2/OIDC deployments, federated users can maintain access indefinitely by repeatedly rescoping tokens, as Keystone issues a fresh full-TTL token instead of inheriting the original expiry.

These issues were reported by Boris Bobrov (SAP SE), Tim Shepherd (roiai.ca), Erichen (Institute of Computing Technology, CAS), and Artem Goncharov (SysEleven GmbH).

Impact on the SCS software ecosystem

These vulnerabilities pose a significant risk to SCS clouds. Because SCS environments rely heavily on S3 compatibility—which utilizes EC2-style credentials—the ability to perform cross-project lateral movement (CVE-2026-43001) is a direct threat to tenant isolation.

Furthermore, the RBAC bypass (CVE-2026-42999) is particularly severe as it undermines the fundamental security model of the cloud, potentially allowing an authenticated user to gain full administrative control over the entire Keystone service. For deployments using federated identity (SAML2/OIDC), the ability to bypass session expiration (CVE-2026-44394) also weakens the security posture regarding user lifecycle management.

Embargo

The issues were reported to the OpenStack Vulnerability Management Team. Following coordination with the reporters and upstream developers, the official OpenStack Security Advisory OSSA-2026-015 was published on Tuesday, 2026-05-28.

Mitigation and Fixes

The primary remediation is to upgrade Keystone to the patched versions provided by the upstream OpenStack project.

Note: For users with highly customized trust policies, please be aware that the fix for CVE-2026-42999 modifies the trust policy structure. This may require manual updates to your custom policies to ensure continued functionality for services like Heat or image uploads.

The SCS ecosystem software providers are providing fixed keystone images:

Outlook

We see an increased velocity with which security issues are found in the IT industry. We're glad to see them reported against the open source projects that we are using and the community is working hard to address the issues. Security researchers have become more efficient due to the usage of AI tools and so have OSS developers - we expect the high volume to continue for the upcoming months and maybe beyond.

SCS has always emphasized the ability to patch with confidence on a daily basis as an important design criterium for the lifecycle management of our components. It now seems to be needed more than ever. We advise operators to prepare for this new world and ensure to work on any processual issues that are slowing them down in deployment.

References

Thanks

The author would like to thank Boris Bobrov, Tim Shepherd, Erichen, and Artem Goncharov for their work in discovering and reporting these critical vulnerabilities and the OpenStack Vulnerabilty Mangement Team for handling and coordinating this and the OpenStack keystone upstream developers for addressing the issues.

Sovereign Cloud Stack Security Contact

SCS security contact is security@scs.community, as published on https://sovereigncloudstack.org/.well-known/security.txt.

Version history

  • Initial draft, v0.1, 2026-05-28, 16:00 CEST
  • Release, v1.0, 2026-05-29, 12:00 CEST