CVE-2026-43001 - Vulnerability Details

- Cross-Project Credential Abuse via Unvalidated project_id in Keystone

Description

An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.

Published: 2026-05-01

Score: 7.9 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Keystone’s credential creation endpoint allows an attacker who holds an unrestricted application credential for one project to create an EC2 credential that targets another project. Because the service does not verify that the supplied project_id matches the authenticating credential’s project, the resulting token can be scoped to the target project while the original application credential identifier is retained. This authentication/authorization weakness (CWE‑863) enables an attacker to move laterally between projects within the same role footprint, granting unauthorized access to resources, potentially compromising confidentiality, integrity, and availability.

Affected Systems

OpenStack Keystone versions 13 through 29 are vulnerable. The issue affects all deployments of the Keystone identity service that use the POST /v3/credentials API without additional policy checks.

Risk and Exploitability

The vulnerability scores a CVSS of 7.9, indicating high severity. No EPSS data is available, and it is not listed in the CISA KEV catalog. The attack can be performed by any user possessing an unrestricted application credential, simply by submitting a crafted POST request to /v3/credentials. No special network conditions are required, making the risk realistic in environments that allow unrestricted application credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenStack

Keystone

unaffected

Version	Status	Constraints
`13`	affected	≤ 29

No data.

Vendor Product Confidence Versions

Openstack

Keystone

95%

Version	Status	Scheme	Platform
`[13,29]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Keystone to a version that has removed the project_id validation flaw (i.e. 30 or newer).
Revoke or restrict any application credentials that have unrestricted, cross‑project privileges, and enforce the principle of least privilege.
Configure monitoring to flag credential creation requests where the project_id does not match the requester’s project, and review audit logs for evidence of illicit lateral movement.

Generated by OpenCVE AI on May 2, 2026 at 00:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugs.launchpad.net/keystone/+bug/2149775
https://review.opendev.org/c/openstack/keystone/+/985804

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Cross-Project Credential Abuse via Unvalidated project_id in Keystone

Fri, 01 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
First Time appeared		Openstack Openstack keystone
Weaknesses		CWE-863
CPEs		cpe:2.3:a:openstack:keystone::::::::
Vendors & Products		Openstack Openstack keystone
References		https://bugs.launchpad.net/keystone/+bug/2149775 https://review.opendev.org/c/openstack/keystone/+/985804
Metrics		cvssV3_1 `{'score': 7.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L'}`

Subscriptions

Openstack Keystone

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-01T00:00:00.000Z

Updated: 2026-05-01T13:28:14.602Z

Reserved: 2026-05-01T00:00:00.000Z

Link: CVE-2026-43001

Vulnrichment

Updated: 2026-05-01T13:28:10.395Z

NVD

Status : Awaiting Analysis

Published: 2026-05-01T09:16:17.273

Modified: 2026-05-01T15:33:10.820

Link: CVE-2026-43001

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T00:15:06Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object