CVE-2026-43000

EUVD-2026-33242
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
openstackkeystone
14.0.0 ≤
𝑥
< 27.0.2
openstackkeystone
28.0.0 ≤
𝑥
< 28.0.2
openstackkeystone
29.0.0 ≤
𝑥
< 29.0.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
keystone
bookworm
2:22.0.2-0+deb12u3
fixed
bookworm (security)
2:22.0.2-0+deb12u3
fixed
bullseye
vulnerable
bullseye (security)
2:18.1.0-1+deb11u3
fixed
forky
2:29.0.1-2
fixed
sid
2:29.0.1-2
fixed
trixie
2:27.0.0-3+deb13u4
fixed
trixie (security)
2:27.0.0-3+deb13u4
fixed