Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
Published: 2026-05-28
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Keystone federated token rescoping function does not carry over the original token's expiration to new tokens. When a federated user invokes POST /v3/auth/tokens to rescopes, the system returns a response missing expires_at, causing the provider to issue a token with a default TTL. By repeatedly rescopes before expiration, a user can keep a token alive indefinitely, circumventing operator‑set token life policies. This allows continuous access and can be seen as a variant of CVE‑2012‑3426.

Affected Systems

OpenStack Keystone, versions earlier than 29.0.2, is affected. The flaw only exists in deployments that employ federated identity, such as SAML2 or OpenID Connect. Operators should review the version of Keystone in use and consider upgrading.

Risk and Exploitability

The CVSS score of 6 categorizes the flaw as moderate. The exploit hinges on a legitimate user possessing a federated token that can use the POST /v3/auth/tokens endpoint to rescopes. By repeating the rescopes before expiration, the attacker can maintain unlimited access, bypassing operator‑defined token lifetimes. The EPSS score indicates a very low likelihood of exploitation, reported as less than 1%, and the vulnerability is not listed in CISA KEV. Even though the CVSS rating is moderate, the persistence of unauthorized access makes it a significant threat to confidentiality and integrity for systems that rely on token expiration for access control.

Generated by OpenCVE AI on June 4, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Keystone to version 29.0.2 or later to ensure expires_at is propagated correctly.
  • If an upgrade is not immediately possible, disable or restrict the rescope endpoint for non‑administrative users or modify policy to require explicit expires_at in the rescope request.
  • Monitor token usage for repeated rescopes, enforce short token time‑to‑live settings, and revoke suspicious tokens to mitigate indefinite access.

Generated by OpenCVE AI on June 4, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4611-1 keystone security update
Debian DSA Debian DSA DSA-6331-1 keystone security update
History

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Keystone Federated Token Rescoping Causing Indefinite Token Lifetime openstack-keystone: OpenStack Keystone: Federated token rescoping allows indefinite access
Weaknesses CWE-613
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Keystone Federated Token Rescoping Causing Indefinite Token Lifetime

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
First Time appeared Openstack
Openstack keystone
Weaknesses CWE-863
CPEs cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack keystone
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Openstack Keystone
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T19:43:05.616Z

Reserved: 2026-05-05T00:00:00.000Z

Link: CVE-2026-44394

cve-icon Vulnrichment

Updated: 2026-05-28T19:42:54.602Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T19:16:38.223

Modified: 2026-06-02T14:21:29.850

Link: CVE-2026-44394

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-44394 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:30:15Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration

  • CWE-863

    Incorrect Authorization