← Back

CVE-2026-42998

nvd nist
Published: May 28, 2026Modified: Jun 2, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

Affected (3)

Products: Openstack: Keystone
Openstack
1 product
Keystone
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Openstack
Keystone
From 14.0.0 to 27.0.2
Keystone
From 28.0.0 to 28.0.2
Keystone
From 29.0.0 to 29.0.2

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

Source: cve@mitre.org
ExploitIssue TrackingThird Party AdvisoryPatch
Source: cve@mitre.org
Vendor AdvisoryPatch

Timeline

No history available yet.