CVE-2026-43001

NameCVE-2026-43001
DescriptionAn issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)bullseye2:18.0.0-3+deb11u1vulnerable
bullseye (security)2:18.1.0-1+deb11u2vulnerable
bookworm, bookworm (security)2:22.0.2-0+deb12u1vulnerable
trixie (security), trixie2:27.0.0-3+deb13u1vulnerable
forky, sid2:29.0.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesource(unstable)(unfixed)

Notes

https://bugs.launchpad.net/keystone/+bug/2149775
https://review.opendev.org/c/openstack/keystone/+/985804
Search for package or bug name: Reporting problems