CVE-2026-44394

HIGH EPSS 16.1%
Published May 28, 20261mo ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
16.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 3

VendorProductVersionRange
openstackkeystone*≥14.0.0  –  <27.0.2
openstackkeystone*≥28.0.0  –  <28.0.2
openstackkeystone*≥29.0.0  –  <29.0.2

References 2

  • bugs.launchpad.net https://bugs.launchpad.net/keystone/+bug/2150379
    ExploitIssue TrackingPatchThird Party Advisory
  • security.openstack.org https://security.openstack.org/ossa/OSSA-2026-015.html
    PatchVendor Advisory

Remediation

  • bugs.launchpad.net https://bugs.launchpad.net/keystone/+bug/2150379
    ExploitIssue TrackingPatchThird Party Advisory
  • security.openstack.org https://security.openstack.org/ossa/OSSA-2026-015.html
    PatchVendor Advisory