CVE-2026-42998

28.05.2026, 19:16

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
mitre	CNA	6 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
openstack	keystone	14.0.0 ≤ 𝑥 < 27.0.2	CNA
openstack	keystone	28.0.0 ≤ 𝑥 < 28.0.2	CNA
openstack	keystone	29.0.0 ≤ 𝑥 < 29.0.2	CNA

Debian Releases

Debian Product

Codename

keystone

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	2:29.0.1-2 fixed
trixie	vulnerable
trixie (security)	vulnerable

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://bugs.launchpad.net/keystone/+bug/2148477

https://security.openstack.org/ossa/OSSA-2026-015.html