CVE-2026-33551
Analyzed Analyzed - Analysis Complete
Privilege Escalation via EC2 Credential Creation in OpenStack Keystone

Publication date: 2026-04-10

Last updated on: 2026-06-05

Assigner: MITRE

Description
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33551
EUVD
EUVD-2026-21278
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openstack keystone 27.0.0
openstack keystone 28.0.0
openstack keystone 29.0.0
openstack keystone From 14.0.0 (inc) to 26.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation involves applying the patches provided for your OpenStack Keystone version that add the missing enforcement of application credential restrictions on the EC2 credential creation API endpoint.

Patches have been submitted for multiple OpenStack branches including 26.1.1, 27.0.1, 28.0.1, and 29.0.1.

If patching is not immediately possible, consider disabling or restricting the use of restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) until a fix is applied.

Additionally, review and tighten policies around EC2 credential creation and deletion, as the deletion endpoint currently allows restricted credentials to delete EC2 credentials due to policy settings.

Executive Summary

CVE-2026-33551 is a vulnerability in OpenStack Keystone affecting versions 14 through 26 before 26.1.1, as well as versions 27.0.0, 28.0.0, and 29.0.0. The issue occurs because restricted application credentials, which are supposed to have limited permissions such as a reader role, can exploit the EC2 credential creation API to generate EC2/S3 credentials. These generated credentials inherit the full set of the parent user's S3 permissions, effectively bypassing the intended role restrictions.

This vulnerability specifically impacts deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api). The root cause is that the EC2 credential creation endpoint does not properly enforce the restrictions on application credentials, allowing privilege escalation.

Impact Analysis

This vulnerability can allow an authenticated user with only a restricted, read-only application credential to escalate their privileges by creating EC2 credentials that grant full read-write access to the user's S3 buckets. This means that a user who should only have limited access can gain full access to object storage resources, potentially leading to unauthorized data access, modification, or deletion.

Such unauthorized access could compromise the confidentiality and integrity of stored data, leading to data breaches or loss. The impact is limited to environments that use restricted application credentials together with the EC2/S3 compatibility API.

Detection Guidance

Detection involves checking if restricted application credentials with only a reader role are able to create EC2 credentials, which should normally be disallowed.

A proof of concept involves attempting to create EC2 credentials using a restricted application credential and verifying if the creation succeeds despite the restricted role.

Specifically, you can test the EC2 credential creation API endpoint (`POST /v3/users/{user_id}/credentials/OS-EC2`) with a restricted application credential that has only reader permissions.

If the API allows creation of EC2 credentials with full S3 permissions, the vulnerability is present.

Commands to test this would involve using OpenStack CLI or direct API calls to attempt EC2 credential creation with restricted credentials and checking the response.

Compliance Impact

This vulnerability allows an authenticated user with only a restricted application credential and a reader role to create EC2/S3 credentials that inherit the full set of the parent user's S3 permissions, effectively bypassing role restrictions. This escalation of privileges can lead to unauthorized access to sensitive data stored in S3-compatible storage.

Such unauthorized access and privilege escalation could potentially lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If an attacker exploits this vulnerability, it may result in unauthorized data exposure or modification, thereby impacting compliance with these regulations.

However, the vulnerability only affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api), so the compliance impact depends on the specific deployment configuration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33551. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart