| Name | CVE-2026-22797 |
| Description | An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-6104-1 |
| Debian Bugs | 1125680 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-keystonemiddleware (PTS) | bullseye | 9.1.0-2 | fixed |
| bookworm | 10.1.0-4 | fixed | |
| trixie | 10.9.0-2 | vulnerable | |
| trixie (security) | 10.9.0-2+deb13u1 | fixed | |
| forky, sid | 10.12.0-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-keystonemiddleware | source | bullseye | (not affected) | |||
| python-keystonemiddleware | source | bookworm | (not affected) | |||
| python-keystonemiddleware | source | trixie | 10.9.0-2+deb13u1 | DSA-6104-1 | ||
| python-keystonemiddleware | source | (unstable) | 10.12.0-3 | 1125680 |
[bookworm] - python-keystonemiddleware <not-affected> (Vulnerable code not present)
[bullseye] - python-keystonemiddleware <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2026/01/15/1
https://bugs.launchpad.net/keystonemiddleware/+bug/2129018
Introduced with: https://github.com/openstack/keystonemiddleware/commit/de15a610e160defb367b224258498727384d10a8 (10.5.0)