CVE-2026-40683: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') in OpenStack Keystone
CVE-2026-40683 is a high-severity vulnerability in OpenStack Keystone versions before 28. 0. 1 affecting the LDAP identity backend. The issue arises because the user enabled attribute from LDAP is not properly converted to a boolean when the user_enabled_invert configuration option is set to its default value, False. This causes users marked as disabled in LDAP to be treated as enabled by Keystone, allowing them to authenticate and perform actions. The vulnerability affects all deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation. There is no explicit patch or official remediation level provided in the available data.
AI Analysis
Technical Summary
In OpenStack Keystone versions prior to 28.0.1, the LDAP identity backend mishandles the user enabled attribute due to improper type conversion. Specifically, when the user_enabled_invert configuration option is False (default), the _ldap_res_to_model method in the UserApi class does not convert the LDAP user enabled attribute from a string to a boolean. Because non-empty strings are truthy in Python, users disabled in LDAP (e.g., with the string "FALSE") are incorrectly treated as enabled, allowing unauthorized authentication and action execution. This is classified as a CWE-843 (Access of Resource Using Incompatible Type) vulnerability. Affected versions include 8.0.0, 26.0.0, 27.0.0, and 28.0.0.
Potential Impact
Users who are marked as disabled in the LDAP directory can bypass this restriction and authenticate successfully in Keystone, potentially gaining unauthorized access and performing actions they should not be allowed to. This compromises the integrity and access control of the affected OpenStack Keystone deployments. The CVSS score of 7.7 (high) reflects the network attack vector, high impact on availability, and low complexity but requiring low privileges and no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, affected deployments should consider setting the user_enabled_invert configuration option to True or enabling user_enabled_emulation as a temporary workaround to ensure proper boolean conversion of the user enabled attribute. Monitor OpenStack Keystone vendor advisories for updates and official patches.
CVE-2026-40683: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') in OpenStack Keystone
Description
CVE-2026-40683 is a high-severity vulnerability in OpenStack Keystone versions before 28. 0. 1 affecting the LDAP identity backend. The issue arises because the user enabled attribute from LDAP is not properly converted to a boolean when the user_enabled_invert configuration option is set to its default value, False. This causes users marked as disabled in LDAP to be treated as enabled by Keystone, allowing them to authenticate and perform actions. The vulnerability affects all deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation. There is no explicit patch or official remediation level provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In OpenStack Keystone versions prior to 28.0.1, the LDAP identity backend mishandles the user enabled attribute due to improper type conversion. Specifically, when the user_enabled_invert configuration option is False (default), the _ldap_res_to_model method in the UserApi class does not convert the LDAP user enabled attribute from a string to a boolean. Because non-empty strings are truthy in Python, users disabled in LDAP (e.g., with the string "FALSE") are incorrectly treated as enabled, allowing unauthorized authentication and action execution. This is classified as a CWE-843 (Access of Resource Using Incompatible Type) vulnerability. Affected versions include 8.0.0, 26.0.0, 27.0.0, and 28.0.0.
Potential Impact
Users who are marked as disabled in the LDAP directory can bypass this restriction and authenticate successfully in Keystone, potentially gaining unauthorized access and performing actions they should not be allowed to. This compromises the integrity and access control of the affected OpenStack Keystone deployments. The CVSS score of 7.7 (high) reflects the network attack vector, high impact on availability, and low complexity but requiring low privileges and no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, affected deployments should consider setting the user_enabled_invert configuration option to True or enabling user_enabled_emulation as a temporary workaround to ensure proper boolean conversion of the user enabled attribute. Monitor OpenStack Keystone vendor advisories for updates and official patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-14T20:05:01.861Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dea0b582d89c981ff4544a
Added to database: 4/14/2026, 8:16:53 PM
Last enriched: 4/14/2026, 8:31:50 PM
Last updated: 4/15/2026, 6:47:21 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.