Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
Published: 2026-05-28
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Keystone RBAC policy enforcer merges the raw JSON request body into the policy enforcement dictionary until it is overwritten by database values. This flaw is a type of Authorization Bypass, classified as CWE‑639. Because the merge occurs unconditionally, a malicious actor can inject policy target attributes such as user_id or project_id into the request. This allows the attacker to masquerade as another user or project and bypass all RBAC checks, enabling unauthorized creation, modification, or deletion of resources belonging to other users.

Affected Systems

OpenStack Keystone releases earlier than version 29.0.2. The flaw was introduced in the commit 5ea59f52 (Rocky/14.0.0) and was fixed with the 29.0.2 release. The affected product is the Keystone identity service, which is used in OpenStack deployments to manage authentication and authorization.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.0, indicating moderate risk. It is not listed in the CISA KEV catalog and the EPSS score is <1%. The flaw can be exploited by any authenticated HTTP client; the request can use any method and content type because Flask’s get_json is called with force=True. An attacker sends a crafted JSON payload with target attributes that overwrite the trusted values from the database, thus gaining unauthorized access to resources in other projects or users.

Generated by OpenCVE AI on June 4, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenStack Keystone to version 29.0.2 or newer to enable the fix that prevents trusted policy data from being overwritten
  • If an immediate update is not possible, block or sanitize the user_id and project_id fields in the incoming JSON before policy enforcement, or reconfigure Flask to not use force=True so untrusted content is ignored
  • Enable detailed logging of policy enforcement events and review logs for anomalous target overrides to detect potential exploitation

Generated by OpenCVE AI on June 4, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4611-1 keystone security update
Debian DSA Debian DSA DSA-6331-1 keystone security update
History

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Keystone RBAC Bypass via Untrusted JSON Input openstack-keystone: OpenStack Keystone: Unauthorized access and privilege escalation via arbitrary policy attribute injection
Weaknesses CWE-639
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Keystone RBAC Bypass via Untrusted JSON Input

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
First Time appeared Openstack
Openstack keystone
Weaknesses CWE-863
CPEs cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack keystone
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Openstack Keystone
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T19:42:27.483Z

Reserved: 2026-05-01T00:00:00.000Z

Link: CVE-2026-42999

cve-icon Vulnrichment

Updated: 2026-05-28T19:42:22.178Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T19:16:37.630

Modified: 2026-06-02T14:41:56.133

Link: CVE-2026-42999

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-42999 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:00:15Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-863

    Incorrect Authorization