CVE-2026-42998: CWE-863 Incorrect Authorization in OpenStack Keystone
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
AI Analysis
Technical Summary
OpenStack Keystone versions prior to 29.0.2 contain an incorrect authorization vulnerability (CWE-863) in the application credential authentication plugin. The plugin does not verify that the user specified in the authentication request matches the owner of the application credential used. An attacker can exploit this by authenticating with their own application credential ID and secret but specifying a different user's name and domain in the request. Keystone then issues a project-scoped token attributed to the victim user, with roles intersecting the attacker’s credential roles and the victim’s project roles. This flaw enables impersonation within shared projects, potentially allowing audit evasion and unauthorized access to victim credentials.
Potential Impact
The vulnerability allows an attacker with low privileges to impersonate another user within shared projects by obtaining a token attributed to the victim user. This token carries a limited set of roles but can be used to evade audit controls, read victim credentials, and act as the victim in the scope of the project. The CVSS score of 6.0 (medium severity) reflects the network attack vector, required low privileges, and the potential for limited confidentiality, integrity, and availability impacts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor OpenStack Keystone advisories for updates addressing this issue. Until a fix is available, restrict use of application credentials and carefully audit project role assignments to limit potential abuse.
CVE-2026-42998: CWE-863 Incorrect Authorization in OpenStack Keystone
Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
CVSS v3.1
Score 6.0medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenStack Keystone versions prior to 29.0.2 contain an incorrect authorization vulnerability (CWE-863) in the application credential authentication plugin. The plugin does not verify that the user specified in the authentication request matches the owner of the application credential used. An attacker can exploit this by authenticating with their own application credential ID and secret but specifying a different user's name and domain in the request. Keystone then issues a project-scoped token attributed to the victim user, with roles intersecting the attacker’s credential roles and the victim’s project roles. This flaw enables impersonation within shared projects, potentially allowing audit evasion and unauthorized access to victim credentials.
Potential Impact
The vulnerability allows an attacker with low privileges to impersonate another user within shared projects by obtaining a token attributed to the victim user. This token carries a limited set of roles but can be used to evade audit controls, read victim credentials, and act as the victim in the scope of the project. The CVSS score of 6.0 (medium severity) reflects the network attack vector, required low privileges, and the potential for limited confidentiality, integrity, and availability impacts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor OpenStack Keystone advisories for updates addressing this issue. Until a fix is available, restrict use of application credentials and carefully audit project role assignments to limit potential abuse.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-01T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a188e05e29bf47b501d67b5
Added to database: 5/28/2026, 6:48:37 PM
Last enriched: 5/28/2026, 7:05:53 PM
Last updated: 5/29/2026, 8:24:26 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.