CVE-2026-33551

EUVD-2026-21278
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
3.5 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
openstackkeystone
14.0.0 ≤
𝑥
< 26.1.1
CNA
openstackkeystone
27.0.0
CNA
openstackkeystone
28.0.0
CNA
openstackkeystone
29.0.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
keystone
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
2:29.0.0-2
fixed
trixie
vulnerable
trixie (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
keystone
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://bugs.launchpad.net/keystone/+bug/2142138
https://security.openstack.org/ossa/OSSA-2026-005.html
http://www.openwall.com/lists/oss-security/2026/04/07/12
https://bugs.launchpad.net/keystone/+bug/2142138