CVE-2026-40683

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions prior to 28.0.1

Description The LDAP identity backend fails to convert the user enabled attribute to a boolean value when the user enabled invert configuration option is set to False. Specifically, the ldap res to model() function in the UserApi class only performs string-to-boolean conversion when user enabled invert is True. When False, the raw string value from LDAP is used. Because non-empty strings are considered truthy in Python, users marked as disabled in LDAP are treated as enabled, allowing them to authenticate and perform actions. This affects deployments using the LDAP identity backend without user enabled invert=True or user enabled emulation.

Recommendations Update to version 28.0.1 or later. As a temporary workaround, set the user enabled invert configuration option to True or enable user enabled emulation.