CVE-2026-44394

NameCVE-2026-44394
DescriptionAn issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)bullseye2:18.0.0-3+deb11u1vulnerable
bullseye (security)2:18.1.0-1+deb11u3vulnerable
bookworm, bookworm (security)2:22.0.2-0+deb12u1vulnerable
trixie (security), trixie2:27.0.0-3+deb13u1vulnerable
forky2:29.0.1-1vulnerable
sid2:29.0.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesource(unstable)2:29.0.1-2

Notes

https://bugs.launchpad.net/keystone/+bug/2150379
https://security.openstack.org/ossa/OSSA-2026-015.html
Search for package or bug name: Reporting problems