CVE-2026-43000: CWE-863 Incorrect Authorization in OpenStack Keystone
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
AI Analysis
Technical Summary
This vulnerability in OpenStack Keystone (prior to 29.0.2) involves incorrect authorization (CWE-863) where an attacker with member-level access can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, passing trustor validation, while Keystone validates delegated roles against the victim's database role assignments rather than the requesting token's roles. This flaw enables attackers to create persistent trusts that delegate the victim's admin role to themselves, maintaining unauthorized admin access under the victim's identity.
Potential Impact
An attacker with member role privileges can escalate to admin privileges within OpenStack Keystone, potentially gaining full administrative control. The trust created persists independently, allowing sustained unauthorized access. Actions performed by the attacker are logged as if performed by the victim, complicating detection and attribution. This could lead to unauthorized administrative operations affecting the security and integrity of the OpenStack environment.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch information is provided. Users should monitor the OpenStack Keystone vendor advisories for updates and apply any forthcoming patches promptly. Until a fix is available, restrict member role permissions and carefully audit application credentials and trust configurations to limit potential exploitation.
CVE-2026-43000: CWE-863 Incorrect Authorization in OpenStack Keystone
Description
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
CVSS v3.1
Score 6.0medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in OpenStack Keystone (prior to 29.0.2) involves incorrect authorization (CWE-863) where an attacker with member-level access can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, passing trustor validation, while Keystone validates delegated roles against the victim's database role assignments rather than the requesting token's roles. This flaw enables attackers to create persistent trusts that delegate the victim's admin role to themselves, maintaining unauthorized admin access under the victim's identity.
Potential Impact
An attacker with member role privileges can escalate to admin privileges within OpenStack Keystone, potentially gaining full administrative control. The trust created persists independently, allowing sustained unauthorized access. Actions performed by the attacker are logged as if performed by the victim, complicating detection and attribution. This could lead to unauthorized administrative operations affecting the security and integrity of the OpenStack environment.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch information is provided. Users should monitor the OpenStack Keystone vendor advisories for updates and apply any forthcoming patches promptly. Until a fix is available, restrict member role permissions and carefully audit application credentials and trust configurations to limit potential exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-01T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a188e05e29bf47b501d67bd
Added to database: 5/28/2026, 6:48:37 PM
Last enriched: 5/28/2026, 7:05:42 PM
Last updated: 5/29/2026, 8:24:26 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.