CVE-2025-65073

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions prior to 26.0.1 OpenStack Keystone versions 27.0.0 OpenStack Keystone versions 28.0.0 keystone version 2:18.1.0-1+deb11u2 for Debian 11 bullseye

Description The identity service, keystone, contains a flaw where sending valid AWS Signatures to the /v3/ec2tokens or /v3/s3tokens API endpoints can grant unauthorized Keystone authorization. This allows an unauthenticated attacker to gain access and potentially escalate privileges. Swift also required patching to function correctly with the updated keystone version.

Recommendations Update OpenStack Keystone to version 26.0.1 or later. Update OpenStack Keystone to version 27.0.0 or later. Update OpenStack Keystone to version 28.0.0 or later. For Debian 11 bullseye, upgrade keystone packages to version 2:18.1.0-1+deb11u2. First update Swift, then update keystone.