Description
In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.
Published: 2026-04-14
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass via misinterpreted LDAP disabled users
Action: Immediate Patch
AI Analysis

Impact

OpenStack Keystone versions prior to 28.0.1 do not convert the LDAP user_enabled attribute to a boolean when the user_enabled_invert configuration option is False, the default. Because non‑empty strings such as "FALSE" evaluate as true in Python, users who are marked as disabled in the LDAP directory are incorrectly treated as enabled by Keystone. This misinterpretation allows an attacker to authenticate with a supposedly disabled user account, granting unauthorized access to Keystone services. The underlying weakness corresponds to CWE‑843, an inappropriate type conversion that leads to incorrect logic.

Affected Systems

This vulnerability affects deployments of OpenStack Keystone that use the LDAP identity backend and have not set user_enabled_invert to True or enabled user_enabled_emulation. All versions of Keystone released before 28.0.1 are potentially impacted if the default configuration is in use.

Risk and Exploitability

The vulnerability scores a CVSS v3.1 base score of 7.7, indicating high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an adversary who can either exploit an existing LDAP service that feeds Keystone, or manipulate LDAP data to mark a user as disabled while the backend still authenticates them. Given the logic flaw, exploitation is straightforward once the necessary LDAP data is present, and no additional privileges are required beyond a valid LDAP account that is disabled by definition.

Generated by OpenCVE AI on April 14, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Keystone to version 28.0.1 or newer
  • Configure the LDAP backend by setting user_enabled_invert=True or enabling user_enabled_emulation
  • Verify that disabled users in LDAP cannot authenticate after configuration changes
  • If an immediate update is not possible, temporarily disable the LDAP identity backend or block authentication attempts from disabled LDAP accounts

Generated by OpenCVE AI on April 14, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4611-1 keystone security update
Github GHSA Github GHSA GHSA-pfx2-9x9m-7ghx OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean
History

Fri, 17 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title LDAP Disabled User Attribute Misinterpreted as Enabled Causes Unauthorized Authentication in Keystone OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title LDAP Disabled User Attribute Misinterpreted as Enabled Causes Unauthorized Authentication in Keystone

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g. "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g. "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.
First Time appeared Openstack
Openstack keystone
Weaknesses CWE-843
CPEs cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack keystone
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H'}

Subscriptions

Openstack Keystone
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T20:14:44.539Z

Reserved: 2026-04-14T20:05:01.861Z

Link: CVE-2026-40683

cve-icon Vulnrichment

Updated: 2026-04-14T20:14:41.085Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T20:16:48.203

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40683

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T20:05:03Z

Links: CVE-2026-40683 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses