CVE-2026-42999

NameCVE-2026-42999
DescriptionAn issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)bullseye2:18.0.0-3+deb11u1vulnerable
bullseye (security)2:18.1.0-1+deb11u3vulnerable
bookworm, bookworm (security)2:22.0.2-0+deb12u1vulnerable
trixie (security), trixie2:27.0.0-3+deb13u1vulnerable
forky2:29.0.1-1vulnerable
sid2:29.0.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesource(unstable)2:29.0.1-2

Notes

https://bugs.launchpad.net/keystone/+bug/2148398
https://security.openstack.org/ossa/OSSA-2026-015.html
Search for package or bug name: Reporting problems