CVE-2026-43000
Analyzed Analyzed - Analysis Complete
Privilege Escalation in OpenStack Keystone via Trust Abuse

Publication date: 2026-05-28

Last updated on: 2026-06-02

Assigner: MITRE

Description
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-02
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-43000
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openstack keystone From 28.0.0 (inc) to 28.0.2 (exc)
openstack keystone From 29.0.0 (inc) to 29.0.2 (exc)
openstack keystone From 14.0.0 (inc) to 27.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenStack Keystone versions before 29.0.2. It involves an attacker who has a member role on a project exploiting an application credential impersonation flaw combined with Keystone trusts to escalate their privileges to admin.

The attacker impersonates a victim's token, which carries the victim's identity and passes the trustor validation check. Keystone then validates delegated roles against the victim's actual role assignments in the database rather than the roles on the attacker's token.

This allows the attacker to create a trust that delegates the victim's admin role to themselves. The trust persists independently, enabling the attacker to maintain access by creating additional trusts and application credentials. All malicious actions are logged under the victim's identity.

Impact Analysis

This vulnerability can allow an attacker with limited privileges (member role) to escalate their access to admin level within OpenStack Keystone.

Such privilege escalation can lead to unauthorized administrative control over the system, potentially allowing the attacker to manipulate resources, access sensitive data, or disrupt services.

Additionally, because the attacker actions are logged under the victim's identity, it can complicate detection and attribution of malicious activities.

Compliance Impact

This vulnerability allows an attacker to escalate privileges to admin by impersonating another user's identity through application credentials and Keystone trusts. Although all actions are logged under the victim's identity, the unauthorized privilege escalation and potential unauthorized access to sensitive data could lead to violations of compliance requirements such as GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

The persistence of trusts and the ability to maintain elevated access independently increase the risk of prolonged unauthorized access, which can further impact compliance by undermining data integrity and confidentiality controls required by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43000. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart