CVE-2026-43001

high

Published 2026-05-01 · Modified 2026-06-02

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.

Predictions

Exploit likelihood

87%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-43001 NameCVE-2026-43001 DescriptionAn issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting…

CVE-2026-43001

Name	CVE-2026-43001
Description	An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1135645

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
keystone (PTS)	bullseye	2:18.0.0-3+deb11u1	vulnerable
	bullseye (security)	2:18.1.0-1+deb11u3	vulnerable
	bookworm, bookworm (security)	2:22.0.2-0+deb12u1	vulnerable
	trixie (security), trixie	2:27.0.0-3+deb13u1	vulnerable
	forky	2:29.0.1-1	vulnerable
	sid	2:29.0.1-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
keystone	source	(unstable)	2:29.0.1-2			1135645

Notes

https://bugs.launchpad.net/keystone/+bug/2149775
https://review.opendev.org/c/openstack/keystone/+/985804
https://security.openstack.org/ossa/OSSA-2026-015.html

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://bugs.launchpad.net/keystone/+bug/2149775https://review.opendev.org/c/openstack/keystone/+/985804https://security.openstack.org/ossa/OSSA-2026-015.html

OS impact

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Fixed	`2:29.0.1-2`
forky	Fixed	`2:29.0.1-2`
bullseye	Fixed	`2:18.1.0-1+deb11u3`
bookworm	Affected	—

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	keystone	`>=13.0.0,<=29.0.1`
PIP	keystone	`>= 13.0.0, <= 29.0.1`

Application impact

Vendor	Product	Versions	Fixed
openstack	keystone	`{"startIncluding":"13.0.0","endIncluding":"19.0.0"}`
openstack	keystone	`{"startIncluding":"14.0.0","endExcluding":"27.0.2"}`	`27.0.2`
openstack	keystone	`{"startIncluding":"28.0.0","endExcluding":"28.0.2"}`	`28.0.2`
openstack	keystone	`{"startIncluding":"29.0.0","endExcluding":"29.0.2"}`	`29.0.2`

References

CWEs

CWE-863

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.