{"dataType":"CVE_RECORD","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2026-43001","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","dateUpdated":"2026-06-30T12:08:35.967Z","dateReserved":"2026-05-01T00:00:00.000Z","datePublished":"2026-05-01T00:00:00.000Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Keystone","vendor":"OpenStack","versions":[{"lessThan":"27.0.2","status":"affected","version":"14.0.0","versionType":"semver"},{"lessThan":"28.0.2","status":"affected","version":"28.0.0","versionType":"semver"},{"lessThan":"29.0.2","status":"affected","version":"29.0.0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"27.0.2"},{"vulnerable":true,"criteria":"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*","versionStartIncluding":"28.0.0","versionEndExcluding":"28.0.2"},{"vulnerable":true,"criteria":"cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*","versionStartIncluding":"29.0.0","versionEndExcluding":"29.0.2"}]}]}],"descriptions":[{"lang":"en","value":"An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2026-05-28T18:38:35.182Z"},"references":[{"url":"https://bugs.launchpad.net/keystone/+bug/2149775"},{"url":"https://review.opendev.org/c/openstack/keystone/+/985804"},{"url":"https://security.openstack.org/ossa/OSSA-2026-015.html"}],"x_generator":{"engine":"enrichogram 0.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-01T13:28:01.589906Z","id":"CVE-2026-43001","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-01T13:28:14.602Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openstack:16.2"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 16.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:17.1"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 17.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:18.0"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 18.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:13"],"defaultStatus":"unaffected","product":"Red Hat OpenStack Platform 13 (Queens)","vendor":"Red Hat"}],"datePublic":"2026-05-01T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied project_id for an EC2-type credential was not validated against the project of the authenticating application credential. This allows the attacker to create an EC2 credential targeting a different project. Subsequently, a /v3/ec2tokens exchange would issue a Keystone token scoped to the targeted project, enabling unauthorized cross-project access and lateral movement within the credential owner's role footprint."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1288","description":"Improper Validation of Consistency within Input","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-43001"},{"name":"RHBZ#2464305","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2464305"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43001.json"}],"timeline":[{"lang":"en","time":"2026-05-01T09:00:55.408Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-01T00:00:00.000Z","value":"Made public."}],"title":"OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation","workarounds":[{"lang":"en","value":"To reduce exposure, ensure that OpenStack application credentials are created with the most restrictive scope possible, limiting their permissions to only what is essential for their intended function. If EC2 credentials are not actively used within your OpenStack deployment, consider disabling the EC2 credential API endpoint in Keystone to prevent unauthorized creation of cross-project EC2 credentials. Refer to the OpenStack Keystone administration guide for detailed instructions on managing application credential scopes and disabling API endpoints. Any changes to Keystone configuration may require a service restart to take effect."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:35.967Z"}}]},"dataVersion":"5.2"}