CVE-2026-42998

EUVD-2026-33240
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
openstackkeystone
14.0.0 ≤
𝑥
< 27.0.2
openstackkeystone
28.0.0 ≤
𝑥
< 28.0.2
openstackkeystone
29.0.0 ≤
𝑥
< 29.0.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
keystone
bookworm
2:22.0.2-0+deb12u3
fixed
bookworm (security)
2:22.0.2-0+deb12u3
fixed
bullseye
vulnerable
bullseye (security)
2:18.1.0-1+deb11u3
fixed
forky
2:29.0.1-2
fixed
sid
2:29.0.1-2
fixed
trixie
2:27.0.0-3+deb13u4
fixed
trixie (security)
2:27.0.0-3+deb13u4
fixed