CVE-2026-33551

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0

Description A flaw exists in OpenStack Keystone where restricted application credentials can be used to create EC2 credentials. An authenticated user with a reader role can potentially obtain EC2/S3 credentials with the full permissions of the parent user, bypassing intended role restrictions. This occurs when using restricted application credentials with the EC2/S3 compatibility API (swift3 / s3api).

Recommendations Update to OpenStack Keystone version 26.1.1 or later. Update to OpenStack Keystone version 27.0.1 or later. Update to OpenStack Keystone version 28.0.1 or later. Update to OpenStack Keystone version 29.0.1 or later.