Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN563
_____________________________________________________________________

DATE                : 29/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Keystone versions prior
                           to 27.0.2, 28.0.2, 29.0.2.

=====================================================================
https://security.openstack.org/ossa/OSSA-2026-015.html
_____________________________________________________________________

==================================================================================================
OSSA-2026-015: Multiple credential delegation and authorization bypass 
vulnerabilities in Keystone
==================================================================================================

:Date: May 28, 2026
:CVE: CVE-2026-42998,
       CVE-2026-42999,
       CVE-2026-43000,
       CVE-2026-43001,
       CVE-2026-44394


Affects
~~~~~~~
- Keystone: >=14.0.0 <27.0.2, >=28.0.0 <28.0.2, >=29.0.0 <29.0.2


Description
~~~~~~~~~~~
Boris Bobrov from SAP SE reported that an authenticated attacker can 
inject RBAC policy targets via the JSON request body, bypassing 
authorization on any policy-protected endpoint to read credential 
secrets, create credentials for arbitrary users, and escalate to cloud 
admin (CVE-2026-42999). Application credential authentication does not 
verify the caller owns the credential, enabling user impersonation 
within a shared project (CVE-2026-42998). This impersonation can be 
chained with trusts to escalate from member to admin, with the resulting 
trust persisting independently (CVE-2026-43000). Tim Shepherd from 
roiai.ca reported that application credentials scoped to one project can 
create EC2 credentials for a different project (CVE-2026-43001). Erichen 
from the Institute of Computing Technology, Chinese Academy of Sciences 
reported that federated users can maintain access indefinitely by 
repeatedly rescoping tokens before expiry, as each rescope issues a 
fresh full-TTL token instead of inheriting the original expiry 
(CVE-2026-44394). Additionally, Artem Goncharov from SysEleven GmbH 
identified related issues in trust-scoped token handling and policy 
enforcement during investigation. All Keystone deployments are affected; 
CVE-2026-44394 only affects SAML2/OIDC deployments.



Patches
~~~~~~~
- https://review.opendev.org/990500 (2025.1/epoxy)
- https://review.opendev.org/990501 (2025.1/epoxy)
- https://review.opendev.org/990502 (2025.1/epoxy)
- https://review.opendev.org/990503 (2025.1/epoxy)
- https://review.opendev.org/990504 (2025.1/epoxy)
- https://review.opendev.org/990495 (2025.2/flamingo)
- https://review.opendev.org/990496 (2025.2/flamingo)
- https://review.opendev.org/990497 (2025.2/flamingo)
- https://review.opendev.org/990498 (2025.2/flamingo)
- https://review.opendev.org/990499 (2025.2/flamingo)
- https://review.opendev.org/990490 (2026.1/gazpacho)
- https://review.opendev.org/990491 (2026.1/gazpacho)
- https://review.opendev.org/990492 (2026.1/gazpacho)
- https://review.opendev.org/990493 (2026.1/gazpacho)
- https://review.opendev.org/990494 (2026.1/gazpacho)
- https://review.opendev.org/990485 (2026.2/hibiscus)
- https://review.opendev.org/990486 (2026.2/hibiscus)
- https://review.opendev.org/990487 (2026.2/hibiscus)
- https://review.opendev.org/990488 (2026.2/hibiscus)
- https://review.opendev.org/990489 (2026.2/hibiscus)


Credits
~~~~~~~
- Boris Bobrov from SAP SE (CVE-2026-42998, CVE-2026-42999, CVE-2026-43000)
- Tim Shepherd from roiai.ca (CVE-2026-43001)
- Erichen from Institute of Computing Technology, Chinese Academy of 
Sciences (CVE-2026-44394)
- Artem Goncharov from SysEleven GmbH


References
~~~~~~~~~~
- https://launchpad.net/bugs/2148398
- https://launchpad.net/bugs/2148477
- https://launchpad.net/bugs/2149775
- https://launchpad.net/bugs/2149789
- https://launchpad.net/bugs/2150089
- https://launchpad.net/bugs/2150379
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42998
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42999
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43000
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43001
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44394


Notes
~~~~~
- The fix for CVE-2026-42999 modifies the trust policy structure.
   Deployments with customized trust policies may experience issues with
   image upload and Heat service functionality until the custom policy is
   updated.
- CVE-2026-44394 only affects deployments using SAML2 or OIDC
   federation.


--
Goutham Pacha Ravi (gouthamr)
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================