CVE-2026-43000

HIGH EPSS 16.1%
Published May 28, 20261mo ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
16.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 3

VendorProductVersionRange
openstackkeystone*≥14.0.0  –  <27.0.2
openstackkeystone*≥28.0.0  –  <28.0.2
openstackkeystone*≥29.0.0  –  <29.0.2

References 2

  • bugs.launchpad.net https://bugs.launchpad.net/keystone/+bug/2148477
    ExploitIssue TrackingPatchThird Party Advisory
  • security.openstack.org https://security.openstack.org/ossa/OSSA-2026-015.html
    PatchVendor Advisory

Remediation

  • bugs.launchpad.net https://bugs.launchpad.net/keystone/+bug/2148477
    ExploitIssue TrackingPatchThird Party Advisory
  • security.openstack.org https://security.openstack.org/ossa/OSSA-2026-015.html
    PatchVendor Advisory