OpenStack Keystone before version 29.0.2 contains an authorization bypass vulnerability (CWE-863) in the POST /v3/credentials endpoint. The service fails to verify that the project_id supplied by the caller for an EC2-type credential matches the project associated with the authenticating application credential. This allows an attacker possessing an unrestricted application credential scoped to project A to create EC2 credentials for project B. Subsequently, exchanging these credentials via /v3/ec2tokens issues a Keystone token scoped to project B but still linked to the original application credential ID, enabling lateral movement across projects within the attacker's role footprint.

An attacker with an unrestricted application credential for one project can create credentials and obtain scoped tokens for other projects, effectively bypassing project-level authorization boundaries. This enables lateral movement across projects within the attacker's permitted roles, potentially leading to unauthorized access to resources in multiple projects. The vulnerability has a high CVSS score of 7.9, indicating significant confidentiality and integrity impact with limited availability impact.

A patch for this vulnerability is available in OpenStack Keystone version 29.0.2 and later. Since Keystone is a cloud-hosted service, the vendor typically manages remediation server-side. Users and administrators should verify that their Keystone deployments are updated to version 29.0.2 or later. Check the official OpenStack vendor advisory for confirmation of patch deployment status and further guidance. No additional mitigation actions are indicated by the vendor advisory at this time.