PT-2026-44463 · Openstack · Keystone

Boris Bobrov

Published

2026-05-28

Updated

2026-06-16

CVE-2026-42998

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions prior to 29.0.2

Description The application credential authentication plugin fails to verify if the user provided in the authentication request is the actual owner of the application credential. An attacker can use their own application credential ID and secret while specifying a different user's name and domain in the request body. This results in the issuance of a project-scoped token attributed to the victim user, containing the intersection of the application credential's roles and the victim's roles within the project. This flaw allows for audit evasion, access to the victim's credentials, and the ability to act as the victim in shared projects.

Recommendations Update to version 29.0.2.

Fix

DoS

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-42998

USN-8433-1

Affected Products

Keystone

PT-2026-44463 · Openstack · Keystone

CVE-2026-42998

Weakness Enumeration

Related Identifiers

Affected Products

References · 16