Description
An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.
Published: 2026-01-19
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An authentication header injection flaw in OpenStack keystonemiddleware’s external_oauth2_token middleware allows an attacker with valid credentials to send forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id. The middleware does not sanitize these incoming headers before processing OAuth 2.0 tokens, enabling an authenticated attacker to elevate privileges or impersonate other users, thereby compromising the confidentiality and integrity of the system. This vulnerability is classified as CWE-290, representing authentication bypass through insufficient input sanitization.

Affected Systems

OpenStack keystonemiddleware versions 10.5 through 10.7 before 10.7.2, 10.8, and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1 are affected. Any deployment employing the external_oauth2_token middleware is vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS vector of 9.9, indicating critical severity. Although the EPSS score is below 1%, suggesting a low probability of exploitation at present, the flaw remains critical due to the high impact and the ability to exploit with only authenticated access. The flaw is not listed in the CISA KEV catalog, yet the combination of high severity and potential for privilege escalation warrants urgent attention. An attack would involve an authenticated attacker submitting forged authentication headers to the middleware, allowing privilege escalation or user impersonation.

Generated by OpenCVE AI on April 18, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack keystonemiddleware to version 10.7.2 or later, ensuring that 10.8, 10.9.1, and 10.12.1 patches are applied.
  • If the external_oauth2_token middleware is not required, remove or disable it from the deployment configuration.
  • Configure the middleware to validate and whitelist permissible authentication headers, rejecting any headers that do not conform to expected formats or values.

Generated by OpenCVE AI on April 18, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6104-1 python-keystonemiddleware security update
Ubuntu USN Ubuntu USN USN-8008-1 Keystone Middleware vulnerability
History

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Title keystonemiddleware: From CVEorg collector
References
Metrics threat_severity

None

 threat_severity

Critical

Mon, 19 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
References

Mon, 19 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Openstack
Openstack keystonemiddleware
Weaknesses CWE-290
CPEs cpe:2.3:a:openstack:keystonemiddleware:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack keystonemiddleware
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Mon, 19 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.
References

Subscriptions

Openstack Keystonemiddleware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-01-20T17:28:09.348Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2026-22797

cve-icon Vulnrichment

Updated: 2026-01-19T18:08:40.994Z

cve-icon NVD

Status : Deferred

Published: 2026-01-19T18:16:04.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22797

cve-icon Redhat

Severity : Critical

Publid Date: 2026-01-19T00:00:00Z

Links: CVE-2026-22797 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses