Description
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
Published: 2026-04-10
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via EC2 credential creation
Action: Patch Now
AI Analysis

Impact

A flaw in OpenStack Keystone allows a user with a restricted application credential and only reader role to call the EC2 credential creation API and obtain an EC2/S3 credential that inherits the full set of the parent user’s S3 permissions. The result is a privilege escalation that bypasses the intended role restrictions on the application credential. The weakness is rooted in improper account and privilege management and missing authorization checks.

Affected Systems

Vulnerable versions of OpenStack Keystone are 14 through 26 before 26.1.1, as well as 27.0.0, 28.0.0, and 29.0.0. The issue manifests only when restricted application credentials are used alongside the EC2/S3 compatibility API (swift3 / s3api).

Risk and Exploitability

The CVSS score of 3.5 indicates a moderate impact, while an EPSS score below 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must already be authenticated, possess a reader role, and have access to a restricted application credential. The attack vector is therefore internal or requires a compromised user credential rather than remote exploitation.

Generated by OpenCVE AI on April 14, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Keystone to the latest version that removes this flaw (the patch was applied after 26.1.1, 27.x, 28.x, and 29.x releases).
  • If upgrading is not immediately possible, disable or limit the use of the EC2/S3 compatibility API for restricted application credentials.
  • Reevaluate role assignments so that reader‑only application credentials cannot request EC2 credential creation.
  • Continuously monitor Keystone logs for unexpected EC2 credential creation requests and investigate promptly.

Generated by OpenCVE AI on April 14, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4phw-6824-6cfp OpenStack Keystone: Restricted application credentials can create EC2 credentials
History

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Restricted Application Credentials in OpenStack Keystone openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Restricted Application Credentials in OpenStack Keystone

Fri, 10 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
First Time appeared Openstack
Openstack keystone
Weaknesses CWE-863
CPEs cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack keystone
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Openstack Keystone
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-10T13:50:43.389Z

Reserved: 2026-03-22T00:00:00.000Z

Link: CVE-2026-33551

cve-icon Vulnrichment

Updated: 2026-04-10T03:07:01.673Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-10T03:16:02.723

Modified: 2026-04-13T15:02:06.187

Link: CVE-2026-33551

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-07T15:00:00Z

Links: CVE-2026-33551 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:44Z

Weaknesses