CVE-2026-42998
Analyzed Analyzed - Analysis Complete
Authentication Bypass in OpenStack Keystone

Publication date: 2026-05-28

Last updated on: 2026-06-02

Assigner: MITRE

Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-02
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-42998
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openstack keystone From 28.0.0 (inc) to 28.0.2 (exc)
openstack keystone From 29.0.0 (inc) to 29.0.2 (exc)
openstack keystone From 14.0.0 (inc) to 27.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to impersonate another user by obtaining a token attributed to the victim user, enabling actions such as audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

Such unauthorized access and impersonation can lead to violations of data protection and privacy requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict controls on user authentication, access auditing, and protection of personal and sensitive information.

Therefore, this vulnerability could negatively impact compliance by undermining authentication integrity, enabling unauthorized data access, and compromising audit trails.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenStack Keystone to version 29.0.2 or later, where the issue with application credential authentication has been fixed.

This update ensures that the Keystone authentication plugin properly verifies that the user supplied in the authentication request matches the owner of the application credential, preventing impersonation and role escalation.

Executive Summary

This vulnerability exists in OpenStack Keystone before version 29.0.2. The issue is that the Keystone application credential authentication plugin does not verify that the user specified in an authentication request is the actual owner of the application credential being used. An attacker can exploit this by authenticating with their own application credential ID and secret but specifying a different user's name and domain in the request. As a result, Keystone issues a token that is attributed to the victim user instead of the attacker.

The token issued is project-scoped and carries the intersection of the roles assigned to the application credential and the victim's actual roles on the project. This allows the attacker to impersonate the victim within shared projects.

Impact Analysis

This vulnerability can have several impacts including enabling an attacker to evade audits, read the victim's credentials, and act as the victim within shared projects. Because the attacker can obtain a token attributed to the victim user, they can perform actions with the victim's permissions, potentially leading to unauthorized access and misuse of resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart