QSearchQSearch

CVE-2026-43000

6.0 MEDIUM

An issue was discovered in OpenStack Keystone before 29.0.2

Published: 2026-05-28 · Last updated: 2026-06-02

Severity and scoring

CVSS
6.0 MEDIUM
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
CWE
CWE-863

Affected products

VendorProduct
openstackkeystone

Description

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-48681 OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image (5.9 MEDIUM)
  • CVE-2026-44917 OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via ... (4.9 MEDIUM)
  • CVE-2026-46447 OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info (5.8 MEDIUM)
  • CVE-2026-44394 An issue was discovered in OpenStack Keystone before 29.0.2 (6.0 MEDIUM)
  • CVE-2026-42999 An issue was discovered in OpenStack Keystone before 29.0.2 (6.0 MEDIUM)

Same CWE

  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-53738 Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler (8.1 HIGH)
  • CVE-2026-49824 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.5 HIGH)
  • CVE-2026-49823 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
  • CVE-2026-48860 Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the dis...