Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN362
_____________________________________________________________________

DATE                : 08/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Keystone versions >=14.0.0 <26.1.1,
                           ==27.0.0, ==28.0.0, ==29.0.0.

=====================================================================
https://security.openstack.org/ossa/OSSA-2026-005.html
_____________________________________________________________________


OSSA-2026-005: Restricted application credentials can create EC2
credentials

Date:

    April 07, 2026
CVE:

    CVE-2026-33551

Affects

    Keystone: >=14.0.0 <26.1.1, ==27.0.0, ==28.0.0, ==29.0.0

Description

Maxence Bornecque from Orange Cyberdefense CERT Vulnerability
Intelligence Watch Team reported a vulnerability in Keystone’s EC2
credential creation endpoint. By using a restricted application
credential to call the EC2 credential creation API, an authenticated
user with only a reader role may obtain an EC2/S3 credential that
carries the full set of the parent user’s S3 permissions, effectively
bypassing the role restrictions imposed on the application credential.
Only deployments that use restricted application credentials in
combination with the EC2/S3 compatibility API (swift3 / s3api) are
affected.


Patches

    https://review.opendev.org/983597 (2024.1/caracal)

    https://review.opendev.org/983591 (2024.2/dalmatian)

    https://review.opendev.org/983589 (2025.1/epoxy)

    https://review.opendev.org/983588 (2025.2/flamingo)

    https://review.opendev.org/983593 (2026.1/gazpacho)

    https://review.opendev.org/983587 (2026.2/hibiscus)


Credits

    Maxence Bornecque from Orange Cyberdefense CERT Vulnerability
Intelligence Watch Team (CVE-2026-33551)


References

    https://launchpad.net/bugs/2142138

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33551

Notes

    The unmaintained/2024.1 branch is unmaintained and will receive
no new point releases, but a patch for it is provided as a courtesy.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================