CVE-2026-43001
Summary
| CVE | CVE-2026-43001 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-01 09:16:17 UTC |
| Updated | 2026-06-30 03:19:43 UTC |
| Description | An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint. |
Risk And Classification
Primary CVSS: v3.1 8 HIGH from [email protected]
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS: 0.000180000 probability, percentile 0.050310000 (date 2026-06-02)
Problem Types: CWE-863 | CWE-1288 | CWE-863 CWE-863 Incorrect Authorization | CWE-1288 Improper Validation of Consistency within Input
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8 | HIGH | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8 | HIGH | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.9 | HIGH | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8 | HIGH | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 7.9 | HIGH | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | OpenStack | Keystone | affected 14.0.0 27.0.2 semver | Not specified |
| CNA | OpenStack | Keystone | affected 28.0.0 28.0.2 semver | Not specified |
| CNA | OpenStack | Keystone | affected 29.0.0 29.0.2 semver | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 16.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 17.1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 18.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 13 Queens | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| review.opendev.org/c/openstack/keystone/+/985804 | [email protected] | review.opendev.org | Patch |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43001.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| security.openstack.org/ossa/OSSA-2026-015.html | [email protected] | security.openstack.org | Patch, Vendor Advisory |
| bugs.launchpad.net/keystone/+bug/2149775 | [email protected] | bugs.launchpad.net | Exploit, Issue Tracking, Patch, Third Party Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-43001 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-01T09:00:55.408Z | Reported to Red Hat. |
| ADP | 2026-05-01T00:00:00.000Z | Made public. |
Workarounds
ADP: To reduce exposure, ensure that OpenStack application credentials are created with the most restrictive scope possible, limiting their permissions to only what is essential for their intended function. If EC2 credentials are not actively used within your OpenStack deployment, consider disabling the EC2 credential API endpoint in Keystone to prevent unauthorized creation of cross-project EC2 credentials. Refer to the OpenStack Keystone administration guide for detailed instructions on managing application credential scopes and disabling API endpoints. Any changes to Keystone configuration may require a service restart to take effect.