CVE-2026-33551
3.5 LOWAn issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0
Published: 2026-04-10 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 3.5 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
- CWE
- CWE-863
Affected products
| Vendor | Product |
|---|---|
| openstack | keystone |
Description
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-33551
- [Exploit reference]https://bugs.launchpad.net/keystone/+bug/2142138
- [Patch]https://security.openstack.org/ossa/OSSA-2026-005.html
- [Patch]http://www.openwall.com/lists/oss-security/2026/04/07/12
- [Exploit reference]https://bugs.launchpad.net/keystone/+bug/2142138
Related CVEs
Same vendor
- CVE-2026-48681 — OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image (5.9 MEDIUM)
- CVE-2026-44917 — OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via ... (4.9 MEDIUM)
- CVE-2026-46447 — OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info (5.8 MEDIUM)
- CVE-2026-44394 — An issue was discovered in OpenStack Keystone before 29.0.2 (6.0 MEDIUM)
- CVE-2026-43000 — An issue was discovered in OpenStack Keystone before 29.0.2 (6.0 MEDIUM)
Same CWE
- CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-53738 — Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler (8.1 HIGH)
- CVE-2026-49824 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.5 HIGH)
- CVE-2026-49823 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
- CVE-2026-48860 — Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the dis...