OpenStack Keystone versions 13 through 29 contain an authorization flaw (CWE-863) in the POST /v3/credentials API endpoint. The service does not verify that the project_id provided when creating an EC2-type credential matches the project associated with the authenticating application credential. This allows an attacker holding an unrestricted application credential for project A to create EC2 credentials for project B. Subsequently, exchanging these credentials via /v3/ec2tokens issues a Keystone token scoped to project B but still linked to the original application credential ID. This enables cross-project lateral movement within the attacker's role scope. The CVSS 3.1 score is 7.9 (high severity), reflecting network attack vector, high privileges required, no user interaction, scope change, and high confidentiality and integrity impact with low availability impact. A patch is available, and as Keystone is a cloud service, remediation is typically managed by the vendor.

Successful exploitation allows an attacker with an unrestricted application credential in one project to create EC2 credentials for another project and obtain tokens scoped to that other project. This results in unauthorized cross-project access and lateral movement within the attacker's role permissions, potentially exposing sensitive data or operations across projects. The impact includes high confidentiality and integrity compromise with limited availability impact.

A patch is available for this vulnerability. Since OpenStack Keystone is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory that their Keystone deployment has been updated to address this issue. Until patched, restricting application credential privileges and monitoring for unusual credential creation activity may help reduce risk. Patch status is confirmed as available, so applying the official fix is the recommended mitigation.