Description
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
Published: 2026-05-28
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in OpenStack Keystone prior to version 29.0.2 allows an attacker with a member role on a project to elevate privileges to administrator by combining unrestricted application credentials with Keystone trusts. The vulnerability results from Keystone validating delegated roles against the victim's actual role assignments rather than the roles on the requesting token, enabling creation of a trust that grants the victim's admin role to the attacker. All actions are recorded under the victim's identity but the attacker achieves full administrative control.

Affected Systems

OpenStack Keystone, versions earlier than 29.0.2. The vulnerability applies to installations where unrestricted application credentials and trust mechanisms are enabled. No specific vendor patches are listed, but any deployment using Keystone before 29.0.2 is affected.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity. The EPSS score of 0.00041 (less than 1%) indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack requires an existing member role on a project and the ability to create application credentials; many organizations use trust infrastructure, making the conditions plausible. Because the exploit chain can be repeated and trusts persist, an attacker can maintain elevated access over time.

Generated by OpenCVE AI on June 4, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Keystone to version 29.0.2 or later
  • Disable or restrict the use of unrestricted application credentials if they are not needed
  • Block creation of trusts that grant admin privileges unless explicitly required
  • Monitor audit logs for unauthorized trust creation and role escalations

Generated by OpenCVE AI on June 4, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4611-1 keystone security update
Debian DSA Debian DSA DSA-6331-1 keystone security update
History

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title OpenStack Keystone Privilege Escalation via Trust Exploit keystone: OpenStack Keystone: Privilege escalation via chained application credential impersonation and trust misuse
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 28 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title OpenStack Keystone Privilege Escalation via Trust Exploit

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
First Time appeared Openstack
Openstack keystone
Weaknesses CWE-863
CPEs cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack keystone
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Openstack Keystone
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T19:41:55.135Z

Reserved: 2026-05-01T00:00:00.000Z

Link: CVE-2026-43000

cve-icon Vulnrichment

Updated: 2026-05-28T19:41:43.429Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T19:16:37.773

Modified: 2026-06-02T14:38:58.967

Link: CVE-2026-43000

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-43000 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:00:15Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-863

    Incorrect Authorization