CVE-2026-44394

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions prior to 29.0.2

Description The federated token rescoping mechanism fails to propagate the original token's expiry to the newly issued token. When a federated user rescopes a token through the 'POST /v3/auth/tokens' endpoint, the handle scoped token() function in the mapped authentication plugin returns response data lacking an expires at value. Consequently, the token provider issues a token with a fresh default Time To Live (TTL). This allows users to maintain indefinite access by repeatedly rescoping tokens before they expire, bypassing configured token lifetime policies. This issue only affects deployments utilizing federated identity, such as SAML2 or OpenID Connect.

Recommendations Update to version 29.0.2 or later.