CVE-2026-42998

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

CVSS v3 6.0 MEDIUM

6.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://bugs.launchpad.net/keystone/+bug/2148477	Exploit Issue Tracking Third Party Advisory Patch
https://security.openstack.org/ossa/OSSA-2026-015.html	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openstack:keystone::::::::
	cpe:2.3:a:openstack:keystone::::::::
	cpe:2.3:a:openstack:keystone::::::::

History

02 Jun 2026, 14:50

Type	Values Removed	Values Added
References	~~() https://bugs.launchpad.net/keystone/+bug/2148477 -~~	() https://bugs.launchpad.net/keystone/+bug/2148477 - Exploit, Issue Tracking, Third Party Advisory, Patch
References	~~() https://security.openstack.org/ossa/OSSA-2026-015.html -~~	() https://security.openstack.org/ossa/OSSA-2026-015.html - Vendor Advisory, Patch
First Time		Openstack keystone Openstack
CPE		cpe:2.3:a:openstack:keystone::::::::

28 May 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-28 19:16

Updated : 2026-06-02 14:50

NVD link : CVE-2026-42998

Mitre link : CVE-2026-42998

CVE.ORG link : CVE-2026-42998

JSON object : View

Products Affected

openstack

keystone

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-42998", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-05-28T19:16:37.483", "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2148477", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory", "Patch"], "source": "cve@mitre.org"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-015.html", "tags": ["Vendor Advisory", "Patch"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects."}], "lastModified": "2026-06-02T14:50:36.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "541F5133-3C0B-4973-BEDC-1A7D4BA292CA", "versionEndExcluding": "27.0.2", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE1CC117-FDCA-493D-B811-57BC9ADC9260", "versionEndExcluding": "28.0.2", "versionStartIncluding": "28.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "594C43ED-BCAE-43C2-9B5F-5D4AF2F2AC08", "versionEndExcluding": "29.0.2", "versionStartIncluding": "29.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}