CVE-2026-42999
Keystone RBAC Policy Bypass via JSON Injection
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstack | keystone | to 29.0.2 (exc) |
| openstack | keystone | From 14.0.0 (inc) to 27.0.2 (exc) |
| openstack | keystone | From 28.0.0 (inc) to 28.0.2 (exc) |
| openstack | keystone | From 29.0.0 (inc) to 29.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42999 is a security vulnerability in OpenStack Keystone where the RBAC policy enforcer merges the raw JSON request body into the policy enforcement dictionary without proper validation. This allows an authenticated user to inject arbitrary policy target attributes, such as user_id or project_id, into the request body, overwriting trusted data loaded from the database.
Because the JSON is parsed with force=True regardless of Content-Type or HTTP method, attackers can bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects.
The root cause is the unconditional merging of user-controlled JSON data into the policy enforcement dictionary, which overwrites security-critical keys and causes policy checks to evaluate against attacker-controlled data instead of real attributes.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to bypass RBAC authorization on any policy-protected endpoint in OpenStack Keystone.
- The attacker can read credential secrets from the system.
- They can create credentials for arbitrary users.
- They can escalate privileges to gain full cloud admin access without requiring specific roles or prior knowledge.
Overall, this leads to unauthorized access and control over resources belonging to other users or projects, severely compromising the security of the OpenStack environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-42999, you should apply the available patches that prevent JSON request body data from overwriting trusted policy enforcement data in OpenStack Keystone.
Specifically, upgrade your OpenStack Keystone to a fixed version beyond 29.0.2 or apply the patch available at https://review.opendev.org/990501 for the 2025.1/epoxy release.
Be aware that the fix modifies the trust policy structure, so review and update any customized trust policies in your deployment accordingly to avoid disruptions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-42999 allows an authenticated attacker to bypass Role-Based Access Control (RBAC) policies in OpenStack Keystone by injecting arbitrary JSON data, enabling unauthorized access to sensitive resources and credentials.
This unauthorized access and privilege escalation can lead to exposure or misuse of sensitive personal or organizational data, which may violate data protection regulations such as GDPR or HIPAA that require strict access controls and protection of sensitive information.
Therefore, organizations using vulnerable versions of OpenStack Keystone may face compliance risks due to potential unauthorized data access and privilege escalation stemming from this vulnerability.