CVE-2026-42999
Analyzed Analyzed - Analysis Complete
Keystone RBAC Policy Bypass via JSON Injection

Publication date: 2026-05-28

Last updated on: 2026-06-02

Assigner: MITRE

Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-02
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-42999
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openstack keystone From 28.0.0 (inc) to 28.0.2 (exc)
openstack keystone From 29.0.0 (inc) to 29.0.2 (exc)
openstack keystone From 14.0.0 (inc) to 27.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42999 is a security vulnerability in OpenStack Keystone where the RBAC policy enforcer merges the raw JSON request body into the policy enforcement dictionary without proper validation. This allows an authenticated user to inject arbitrary policy target attributes, such as user_id or project_id, into the request body, overwriting trusted data loaded from the database.

Because the JSON is parsed with force=True regardless of Content-Type or HTTP method, attackers can bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects.

The root cause is the unconditional merging of user-controlled JSON data into the policy enforcement dictionary, which overwrites security-critical keys and causes policy checks to evaluate against attacker-controlled data instead of real attributes.

Impact Analysis

This vulnerability allows an authenticated attacker to bypass RBAC authorization on any policy-protected endpoint in OpenStack Keystone.

  • The attacker can read credential secrets from the system.
  • They can create credentials for arbitrary users.
  • They can escalate privileges to gain full cloud admin access without requiring specific roles or prior knowledge.

Overall, this leads to unauthorized access and control over resources belonging to other users or projects, severely compromising the security of the OpenStack environment.

Mitigation Strategies

To mitigate CVE-2026-42999, you should apply the available patches that prevent JSON request body data from overwriting trusted policy enforcement data in OpenStack Keystone.

Specifically, upgrade your OpenStack Keystone to a fixed version beyond 29.0.2 or apply the patch available at https://review.opendev.org/990501 for the 2025.1/epoxy release.

Be aware that the fix modifies the trust policy structure, so review and update any customized trust policies in your deployment accordingly to avoid disruptions.

Compliance Impact

CVE-2026-42999 allows an authenticated attacker to bypass Role-Based Access Control (RBAC) policies in OpenStack Keystone by injecting arbitrary JSON data, enabling unauthorized access to sensitive resources and credentials.

This unauthorized access and privilege escalation can lead to exposure or misuse of sensitive personal or organizational data, which may violate data protection regulations such as GDPR or HIPAA that require strict access controls and protection of sensitive information.

Therefore, organizations using vulnerable versions of OpenStack Keystone may face compliance risks due to potential unauthorized data access and privilege escalation stemming from this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42999. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart