CVE-2026-42998
Authentication Bypass in OpenStack Keystone
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | keystone | to 29.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenStack Keystone before version 29.0.2. The issue is that the Keystone application credential authentication plugin does not verify that the user specified in an authentication request is the actual owner of the application credential being used. An attacker can exploit this by authenticating with their own application credential ID and secret but specifying a different user's name and domain in the request. As a result, Keystone issues a token that is attributed to the victim user instead of the attacker.
The token issued is project-scoped and carries the intersection of the roles assigned to the application credential and the victim's actual roles on the project. This allows the attacker to impersonate the victim within shared projects.
How can this vulnerability impact me? :
This vulnerability can have several impacts including enabling an attacker to evade audits, read the victim's credentials, and act as the victim within shared projects. Because the attacker can obtain a token attributed to the victim user, they can perform actions with the victim's permissions, potentially leading to unauthorized access and misuse of resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to impersonate another user by obtaining a token attributed to the victim user, enabling actions such as audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
Such unauthorized access and impersonation can lead to violations of data protection and privacy requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict controls on user authentication, access auditing, and protection of personal and sensitive information.
Therefore, this vulnerability could negatively impact compliance by undermining authentication integrity, enabling unauthorized data access, and compromising audit trails.