Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
Published: 2026-05-28
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication flaw in OpenStack Keystone allows an attacker to use their own application credential while specifying a different user, resulting in a token that appears to belong to the victim. This token is project‑scoped and inherits a mix of the attacker’s and victim’s roles, enabling privilege escalation, audit evasion, and access to the victim’s credentials within shared projects. The weakness originates from improper authorization checks (CWE‑303) and misuse of application credential verification (CWE‑863).

Affected Systems

This issue affects OpenStack Keystone versions prior to 29.0.2. The vulnerability is present in the application credential authentication plugin used by Keystone. Only deployments running Keystone before the 29.0.2 release are impacted.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity. The EPSS score of <1% indicates a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation. The attack vector is remote through the Keystone API; an attacker needs a valid application credential to initiate the request. Exploitation yields an impersonated token that can be used to perform actions as the victim within their projects, enabling audit evasion and unauthorized read of the victim’s credentials.

Generated by OpenCVE AI on June 4, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Keystone to version 29.0.2 or later to apply the fix for the improper authorization check.
  • Verify that the application credential authentication plugin is configured to enforce ownership verification for all tokens.
  • Regenerate or revoke any application credentials that were created before the patch to prevent residual exploitation.

Generated by OpenCVE AI on June 4, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4611-1 keystone security update
Debian DSA Debian DSA DSA-6331-1 keystone security update
History

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Impersonated Token Generation via Application Credential in OpenStack Keystone openstack-keystone: OpenStack Keystone: User impersonation and unauthorized access via insufficient application credential verification.
Weaknesses CWE-303
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Impersonated Token Generation via Application Credential in OpenStack Keystone

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
First Time appeared Openstack
Openstack keystone
Weaknesses CWE-863
CPEs cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack keystone
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Openstack Keystone
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T19:38:42.097Z

Reserved: 2026-05-01T00:00:00.000Z

Link: CVE-2026-42998

cve-icon Vulnrichment

Updated: 2026-05-28T19:38:26.871Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T19:16:37.483

Modified: 2026-06-02T14:50:36.337

Link: CVE-2026-42998

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-42998 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:00:15Z

Weaknesses
  • CWE-303

    Incorrect Implementation of Authentication Algorithm

  • CWE-863

    Incorrect Authorization