CVE-2026-42999

HIGH EPSS 16.6%
Published May 28, 20261mo ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
16.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 3

VendorProductVersionRange
openstackkeystone*≥14.0.0  –  <27.0.2
openstackkeystone*≥28.0.0  –  <28.0.2
openstackkeystone*≥29.0.0  –  <29.0.2

References 2

  • bugs.launchpad.net https://bugs.launchpad.net/keystone/+bug/2148398
    ExploitIssue TrackingPatchThird Party Advisory
  • security.openstack.org https://security.openstack.org/ossa/OSSA-2026-015.html
    PatchVendor Advisory

Remediation

  • bugs.launchpad.net https://bugs.launchpad.net/keystone/+bug/2148398
    ExploitIssue TrackingPatchThird Party Advisory
  • security.openstack.org https://security.openstack.org/ossa/OSSA-2026-015.html
    PatchVendor Advisory