CVE-2026-33551: CWE-863 Incorrect Authorization in OpenStack Keystone
CVE-2026-33551 is a vulnerability in OpenStack Keystone versions 14 through 26 before 26. 1. 1, 27. 0. 0, 28. 0. 0, and 29. 0. 0. It allows restricted application credentials to create EC2 credentials with the full set of the parent user's S3 permissions, bypassing intended role restrictions.
AI Analysis
Technical Summary
OpenStack Keystone versions 14 to 26 (before 26.1.1), 27.0.0, 28.0.0, and 29.0.0 contain an authorization flaw (CWE-863) where restricted application credentials can be used to create EC2 credentials that inherit the full S3 permissions of the parent user. This bypasses the role restrictions intended for the application credential. The vulnerability specifically impacts deployments using restricted application credentials with the EC2/S3 compatibility API (swift3 / s3api). The CVSS v3.1 score is 3.5 (low severity), reflecting low impact and high attack complexity. The vulnerability is present in a cloud service context, and the vendor manages remediation.
Potential Impact
An authenticated user with only a reader role can exploit this vulnerability to obtain EC2/S3 credentials that carry the full permissions of the parent user, effectively bypassing role restrictions. This could lead to unauthorized privilege escalation within the affected OpenStack Keystone deployments that use the EC2/S3 compatibility API. There is no impact on confidentiality, but integrity is affected due to unauthorized actions possible with elevated permissions. Availability is not impacted. No known exploits are reported in the wild.
Mitigation Recommendations
Since OpenStack Keystone is a cloud service, the vendor manages remediation server-side. A patch is available, and users should verify with the OpenStack vendor advisory for the latest remediation status and ensure their deployments are updated to versions 26.1.1 or later, or 27.0.0, 28.0.0, 29.0.0 and beyond as applicable. Deployments not using restricted application credentials with the EC2/S3 compatibility API are not affected. No additional action is required beyond applying the vendor-managed patch or update.
CVE-2026-33551: CWE-863 Incorrect Authorization in OpenStack Keystone
Description
CVE-2026-33551 is a vulnerability in OpenStack Keystone versions 14 through 26 before 26. 1. 1, 27. 0. 0, 28. 0. 0, and 29. 0. 0. It allows restricted application credentials to create EC2 credentials with the full set of the parent user's S3 permissions, bypassing intended role restrictions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenStack Keystone versions 14 to 26 (before 26.1.1), 27.0.0, 28.0.0, and 29.0.0 contain an authorization flaw (CWE-863) where restricted application credentials can be used to create EC2 credentials that inherit the full S3 permissions of the parent user. This bypasses the role restrictions intended for the application credential. The vulnerability specifically impacts deployments using restricted application credentials with the EC2/S3 compatibility API (swift3 / s3api). The CVSS v3.1 score is 3.5 (low severity), reflecting low impact and high attack complexity. The vulnerability is present in a cloud service context, and the vendor manages remediation.
Potential Impact
An authenticated user with only a reader role can exploit this vulnerability to obtain EC2/S3 credentials that carry the full permissions of the parent user, effectively bypassing role restrictions. This could lead to unauthorized privilege escalation within the affected OpenStack Keystone deployments that use the EC2/S3 compatibility API. There is no impact on confidentiality, but integrity is affected due to unauthorized actions possible with elevated permissions. Availability is not impacted. No known exploits are reported in the wild.
Mitigation Recommendations
Since OpenStack Keystone is a cloud service, the vendor manages remediation server-side. A patch is available, and users should verify with the OpenStack vendor advisory for the latest remediation status and ensure their deployments are updated to versions 26.1.1 or later, or 27.0.0, 28.0.0, 29.0.0 and beyond as applicable. Deployments not using restricted application credentials with the EC2/S3 compatibility API are not affected. No additional action is required beyond applying the vendor-managed patch or update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-03-22T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d862041cc7ad14da50d937
Added to database: 4/10/2026, 2:35:48 AM
Last enriched: 4/10/2026, 2:51:09 AM
Last updated: 4/10/2026, 3:43:07 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.