- Package:
- src:keystone
- Source:
- src:keystone
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-08 20:25:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for keystone. CVE-2026-43001[0]: | An issue was discovered in OpenStack Keystone 13 through 29. POST | /v3/credentials did not validate that the caller-supplied project_id | for an EC2-type credential matched the project of the authenticating | application credential. This allowed an attacker holding an | unrestricted application credential for project A to create an EC2 | credential targeting project B; a subsequent /v3/ec2tokens exchange | would then issue a Keystone token scoped to project B while still | carrying the original app_cred_id, enabling cross-project lateral | movement within the credential owner's role footprint. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-43001 https://www.cve.org/CVERecord?id=CVE-2026-43001 [1] https://bugs.launchpad.net/keystone/+bug/2149775 [2] https://review.opendev.org/c/openstack/keystone/+/985804 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/b1462235463060d9c62ba04886a9e861f1f73800 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/a98236adb793487f1234de9cf534463114d66b52 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/c4e8eccb212845009a8b315dc19409a1eb21b8a1 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/3aa3f0d787d2a25d380bebfc50032059c591eef9 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/f6200b3e153e5f86e92e50107b71005ee25b39a9 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/b63f142f8ab0347b1dbede7a677260bda273b733 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/231418de175e5d41accea194039dcce77768f079 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/b95a9371edb4679a5381b6afbddb25ac7fd7a7d4 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/3dc5786a48eb7549ecf82db553972f65d8280d5f ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/03da29955d89bdab5e73ffcf2584a3ad616f6714 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/2756d9bffd3de30d1698fba802bc564f39a5772e ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/dd17982d1a4b300636bfd2359e155bbef9ca391a ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/8649c4cf4c14816721fda5bb9aa0490eadd11b0b ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/8961755f6cda80a5c4a480420741a25de191a371 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/21c7471b0778b320d781989e86e67795274e9688 ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). * Blacklist: test_sign_assertion_logs_message_if_xmlsec1_is_not_installed. ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
Hello, Bug #1135645 in keystone reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/keystone/-/commit/dd17982d1a4b300636bfd2359e155bbef9ca391a ------------------------------------------------------------------------ * Multiple vulnerabilities in Keystone's delegated authentication allow an authenticated user to escalate privileges to cloud admin. The most severe (CVE-2026-42999) requires only a valid token: - CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. (LP#2148398, reported by Boris Bobrov, SAP SE). - CVE-2026-42998: Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project. (LP#2148477, reported by Boris Bobrov, SAP SE). - CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. (LP#2148477, reported by Boris Bobrov, SAP SE) - CVE-2026-43001: Application credentials scoped to one project can create EC2 credentials for a different project. A fix for the creation-time path is already merged; this patch extends the check to the auth-time path. (LP#2149775, reported by Tim Shepherd, roiai.ca) - CVE-2026-44394: Federated users can maintain access indefinitely by repeatedly rescoping tokens before expiry. Each rescope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences). . The patch also addresses three related issues found during investigation: trust-scoped tokens accessing credentials outside the delegated project (LP#2149789), trust-scoped tokens creating persistent application credentials for impersonated users (LP#2150089), and a latent query-string parameter injection in policy enforcement and lack of scope boundary enforcement in the delegated token logic (LP#2150089). These were reported by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH). . Applied the proposed upstream patches: - 0001-Add-tests-for-restricted-app-cred-guard.patch - 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch - 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch - 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch - CVE-2026-43001-keystone-backport-stable-2025.1.patch . Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the trust policy structure. If this policy is customized by the provider, failure to update it may result in issues with image upload, heat service functionality and potentially more. * Note that all the above CVE are combined into this one: CVE-2026-43001. (Closes: #1135645). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135645
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135645@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 22 May 2026 00:10:54 +0200
Source: keystone
Architecture: source
Version: 2:29.0.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135645
Changes:
keystone (2:29.0.1-2) unstable; urgency=medium
.
* Multiple vulnerabilities in Keystone's delegated authentication allow an
authenticated user to escalate privileges to cloud admin. The most severe
(CVE-2026-42999) requires only a valid token:
- CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
request body, bypassing authorization on any policy-protected endpoint.
Allows reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. (LP#2148398, reported by Boris
Bobrov, SAP SE).
- CVE-2026-42998: Application credential authentication does not verify the
caller owns the credential, allowing user impersonation within a shared
project. (LP#2148477, reported by Boris Bobrov, SAP SE).
- CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
with trusts to escalate from member to admin. The resulting trust
persists independently of the original credential. (LP#2148477, reported
by Boris Bobrov, SAP SE)
- CVE-2026-43001: Application credentials scoped to one project can create
EC2 credentials for a different project. A fix for the creation-time
path is already merged; this patch extends the check to the auth-time
path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
- CVE-2026-44394: Federated users can maintain access indefinitely by
repeatedly rescoping tokens before expiry. Each rescope issues a fresh
full-TTL token instead of inheriting the original expiry. Only
SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
Institute of Computing Technology, Chinese Academy of Sciences).
.
The patch also addresses three related issues found during investigation:
trust-scoped tokens accessing credentials outside the delegated project
(LP#2149789), trust-scoped tokens creating persistent application
credentials for impersonated users (LP#2150089), and a latent query-string
parameter injection in policy enforcement and lack of scope boundary
enforcement in the delegated token logic (LP#2150089). These were reported
by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
.
Applied the proposed upstream patches:
- 0001-Add-tests-for-restricted-app-cred-guard.patch
- 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
- 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
- 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
- CVE-2026-43001-keystone-backport-stable-2025.1.patch
.
Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
trust policy structure. If this policy is customized by the provider,
failure to update it may result in issues with image upload, heat service
functionality and potentially more.
* Note that all the above CVE are combined into this one: CVE-2026-43001.
(Closes: #1135645).
Checksums-Sha1:
f35d68711d95ab79730ebaba34abe13a17931a97 3458 keystone_29.0.1-2.dsc
e565c53929e235c643dc3f5fcd6db34dd7f6e78d 67656 keystone_29.0.1-2.debian.tar.xz
de31f82dec1070c5e43e4bcd3de65c5f7d017c1e 17424 keystone_29.0.1-2_amd64.buildinfo
Checksums-Sha256:
1aeafd6ba36f1f358301a6e53acd5b3cbca6fe906dc5a0db919cdc9e0c5a67ec 3458 keystone_29.0.1-2.dsc
1f4cebf6b41bc9997c06487803d4701aaea9ad5b5c656d2357772e552fa9c8de 67656 keystone_29.0.1-2.debian.tar.xz
674e5d9510ef7b238f70ee7dca7ea5e6d4af10a01274f171311b9477e7e8daef 17424 keystone_29.0.1-2_amd64.buildinfo
Files:
5d5aadb51a3e7464b47d0269be7a800e 3458 net optional keystone_29.0.1-2.dsc
7b81f15216001620b9de2c6633819459 67656 net optional keystone_29.0.1-2.debian.tar.xz
9e82cb396f6b6b52b781f8a3945d99a2 17424 net optional keystone_29.0.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoYWqoACgkQ1BatFaxr
Q/4Ayw/9EX+Qr1Ym65MlRQ1ONLiLB1KdUWN9ZbUPpQRqIFfBM3XJl2pxK3epqaBZ
mNr82qu7JPf0SvN1uj9pmmkz771ZhpZqXf2toUAkYS4M7ml6fMD10TnIIwQ7EFQr
YjlA2CFR2XEaJBd1KT/d1fV0IfKciSnsPuvcZSiVz1aR5XtSX1rSivexlXvHI7RS
dKT6gBGF11+8DCQrE4pQinZaK8nBXZSErm5Jw6HxdCH9Vyemsi8EAI7XFnUHZ16E
k1nkProqqtJdWimNtZoohq7TKdBMTe7TTdNWeSVLuMgpUBlm05F2Qy29CM/LNwHw
ooqBCsJB2tk0e+7w1Vn/1VXtYV2+XBtXlBeQ0WrRTFKG0i8/sahaqEi9h7ehBJNe
uVMwobGqss3LYldBR8uYDnp7cWHSTNda4R+RLZvGL5rE8Zm+QFRI2rycGgN8rrTY
Yj/eY/n++gvo5DaaLJ+DvKDCVQ+vjedIOo2Fcp7ZZLx3BDhqT5smwgDiNOLSkHIE
Okd2hJNuiAYnu4N1Tj1zSKPBYCiSFnYwGZkRyDhLDMvVBJJzfYmEM4E0Wp6j2a1d
BvYpPMaADutqrA+54c/HRo7gmAOYMDgsFPfL0RHtJQMsjizQ0XZ07/T+/WC6TmGj
mvXpdf7I6q4rRb4ps7HXN9zyN8sEE2zcH/DWgiJCjsNYUGrIleI=
=B+2R
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135645@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 16:50:52 +0200
Source: keystone
Architecture: source
Version: 2:22.0.2-0+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135645
Changes:
keystone (2:22.0.2-0+deb12u3) bookworm-security; urgency=medium
.
* Multiple vulnerabilities in Keystone's delegated authentication allow an
authenticated user to escalate privileges to cloud admin. The most severe
(CVE-2026-42999) requires only a valid token:
- CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
request body, bypassing authorization on any policy-protected endpoint.
Allows reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. (LP#2148398, reported by Boris
Bobrov, SAP SE).
- CVE-2026-42998: Application credential authentication does not verify the
caller owns the credential, allowing user impersonation within a shared
project. (LP#2148477, reported by Boris Bobrov, SAP SE).
- CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
with trusts to escalate from member to admin. The resulting trust
persists independently of the original credential. (LP#2148477, reported
by Boris Bobrov, SAP SE)
- CVE-2026-43001: Application credentials scoped to one project can create
EC2 credentials for a different project. A fix for the creation-time
path is already merged; this patch extends the check to the auth-time
path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
- CVE-2026-44394: Federated users can maintain access indefinitely by
repeatedly rescoping tokens before expiry. Each rescope issues a fresh
full-TTL token instead of inheriting the original expiry. Only
SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
Institute of Computing Technology, Chinese Academy of Sciences).
.
The patch also addresses three related issues found during investigation:
trust-scoped tokens accessing credentials outside the delegated project
(LP#2149789), trust-scoped tokens creating persistent application
credentials for impersonated users (LP#2150089), and a latent query-string
parameter injection in policy enforcement and lack of scope boundary
enforcement in the delegated token logic (LP#2150089). These were reported
by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
.
Applied the proposed upstream patches:
- 0001-Add-tests-for-restricted-app-cred-guard.patch
- 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
- 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
- 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
- CVE-2026-43001-keystone-backport-stable-2025.1.patch
.
Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
trust policy structure. If this policy is customized by the provider,
failure to update it may result in issues with image upload, heat service
functionality and potentially more.
* Note that all the above CVE are combined into this one: CVE-2026-43001.
(Closes: #1135645).
Checksums-Sha1:
b2f4ab17e9ee5999d646f92918a2e43f040c64f8 3565 keystone_22.0.2-0+deb12u3.dsc
0082bb40f85f63bd5bf7d67aa7d0089a229090a3 1055220 keystone_22.0.2.orig.tar.xz
b97036089fd62033040d6f82ec86d0a5e3b490d2 74204 keystone_22.0.2-0+deb12u3.debian.tar.xz
4cdcfda16964416ac9642700aa487baed7501987 18263 keystone_22.0.2-0+deb12u3_amd64.buildinfo
Checksums-Sha256:
8f4f5c84f82e03bf4675ee00e0803f19105440a869453df4b75008cb56bac3f9 3565 keystone_22.0.2-0+deb12u3.dsc
a30c128c86b0d53be1998fb9babd49956d74fd9130ff198dddd9f24c01b0c22f 1055220 keystone_22.0.2.orig.tar.xz
ddff9b9b1e0212d4d329b6f31af4eeb1f50fe6a2111f7d7fb72fc4c8eac4fcd2 74204 keystone_22.0.2-0+deb12u3.debian.tar.xz
7d31671dc3329779b6db7e1a0ed8a0943657354367f7d0b011f732df8d8a3b67 18263 keystone_22.0.2-0+deb12u3_amd64.buildinfo
Files:
0d2090e1a819ab2bb590cfffa5db591f 3565 net optional keystone_22.0.2-0+deb12u3.dsc
60a14722d5ffdf9c7893a4568f3e25a9 1055220 net optional keystone_22.0.2.orig.tar.xz
d2cbc249f0459cfcdb9358d902f1ada6 74204 net optional keystone_22.0.2-0+deb12u3.debian.tar.xz
7a4fac3445be53c120f73488fc74b681 18263 net optional keystone_22.0.2-0+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmom0QsACgkQ1BatFaxr
Q/63yQ/+LaWnRq6ayYelk2+INpi54w74rim53K05MpVA6mKhDazC4bdP7MXLyMux
UhFa+D0wKQX5uQYnGma1zvPPTaCPDbH8C+NiKjhMO/zyhkw2r9gNfthopWY+6OBu
OscI1TnhW1qwz5s7XAqbHgKjy8WX2vgSNFVE2C1v+IGEZ8fKLikOyzUcHRHSuLMa
BSGQvdCi1ZotuPpD8IOEFW6k7VbKpaAymaJTvM4Y8eitieaIVAHpdfO6oVXPWAMT
DJLmZfOyy9th9sx4RvncxRHEQ8FITEuRgUc7CmRU17Er348ywPUBlRYDa2wfTcoa
P0qJWUKjM0oN69+rkSrAHvP5+9BH4LvIMfdGgOTkkAI1pmpwIHHuchR+RESsrPzH
mISK5PVkZZVLg4nDQ8/WBpMKKqgEzQGFs9tAFw1zhmJMWB//lvH60OOs8a/RA4iX
QsPuBQ+rfPDLvL16znj6w/Cpu/tPhvXKO83xLia6HzP/UvhBnCK/FTe5ZEoIcVOr
Iht7qxtV/bGn8bVlyYZVTke6L2T/C+XDYIgo4WPho8AIK/gVSVhW8MT7obYKPN58
gHTo8Xohnq3zCQFzWWIVJUA4oll3uNK1iyFkdCQKQgNevn1RCHVKuf/5AcDp35L1
HMGlrUfK1O33T3ScngXYX9H7xaYVjEwCXfIK6HoOsG93NR3FXg0=
=vXEO
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1135645@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 16:39:48 +0200
Source: keystone
Architecture: source
Version: 2:27.0.0-3+deb13u4
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1135645
Changes:
keystone (2:27.0.0-3+deb13u4) trixie-security; urgency=medium
.
* Multiple vulnerabilities in Keystone's delegated authentication allow an
authenticated user to escalate privileges to cloud admin. The most severe
(CVE-2026-42999) requires only a valid token:
- CVE-2026-42999: An attacker can inject RBAC policy targets via the JSON
request body, bypassing authorization on any policy-protected endpoint.
Allows reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. (LP#2148398, reported by Boris
Bobrov, SAP SE).
- CVE-2026-42998: Application credential authentication does not verify the
caller owns the credential, allowing user impersonation within a shared
project. (LP#2148477, reported by Boris Bobrov, SAP SE).
- CVE-2026-43000: The impersonation from CVE-2026-42998 can be chained
with trusts to escalate from member to admin. The resulting trust
persists independently of the original credential. (LP#2148477, reported
by Boris Bobrov, SAP SE)
- CVE-2026-43001: Application credentials scoped to one project can create
EC2 credentials for a different project. A fix for the creation-time
path is already merged; this patch extends the check to the auth-time
path. (LP#2149775, reported by Tim Shepherd, roiai.ca)
- CVE-2026-44394: Federated users can maintain access indefinitely by
repeatedly rescoping tokens before expiry. Each rescope issues a fresh
full-TTL token instead of inheriting the original expiry. Only
SAML2/OIDC deployments are affected. (LP#2150379, reported by Erichen,
Institute of Computing Technology, Chinese Academy of Sciences).
.
The patch also addresses three related issues found during investigation:
trust-scoped tokens accessing credentials outside the delegated project
(LP#2149789), trust-scoped tokens creating persistent application
credentials for impersonated users (LP#2150089), and a latent query-string
parameter injection in policy enforcement and lack of scope boundary
enforcement in the delegated token logic (LP#2150089). These were reported
by Tim Shepherd (roiai.ca) and Artem Goncharov (SysEleven GmbH).
.
Applied the proposed upstream patches:
- 0001-Add-tests-for-restricted-app-cred-guard.patch
- 0002-Block-restricted-app-creds-from-creating-EC2-credent.patch
- 0003-Block-app-cred-tokens-from-authorizing-OAuth1-reques.patch
- 0004-Enforce-app-cred-project-boundary-on-EC2-credential-.patch
- CVE-2026-43001-keystone-backport-stable-2025.1.patch
.
Please also note that the fix for CVE-2026-42999 (LP#2148398) modifies the
trust policy structure. If this policy is customized by the provider,
failure to update it may result in issues with image upload, heat service
functionality and potentially more.
* Note that all the above CVE are combined into this one: CVE-2026-43001.
(Closes: #1135645).
Checksums-Sha1:
8d387eeb98ad17d55e05e0e98865daae736ace33 3486 keystone_27.0.0-3+deb13u4.dsc
896a6f57c727fa62d0aec10d5c8844b40cc42bdb 1098444 keystone_27.0.0.orig.tar.xz
04094d63b500a14d3778ab16f902da19682f6920 68048 keystone_27.0.0-3+deb13u4.debian.tar.xz
24466e8594942b22b16e25d06cfe1809d80447fd 18660 keystone_27.0.0-3+deb13u4_amd64.buildinfo
Checksums-Sha256:
8542741120f778bef0c9192b25c737dd0e232e1ae7baee71c030d76931dfbe95 3486 keystone_27.0.0-3+deb13u4.dsc
223b27dc676dabd6c9d67e4409fe086f92b5d47bf71ee8c724c3e0d13f26d635 1098444 keystone_27.0.0.orig.tar.xz
6919c85e4612d17804ffc1aca27a1c157572280e1b141cd2d14dbbe36b7c5c4c 68048 keystone_27.0.0-3+deb13u4.debian.tar.xz
70f1f5ec3f082a8082a5f9fdf3323e343932f38fb6655601e6e257c4ef36e4b3 18660 keystone_27.0.0-3+deb13u4_amd64.buildinfo
Files:
55984bbcd57c7315ab2135b44190e341 3486 net optional keystone_27.0.0-3+deb13u4.dsc
d8119041a4ba1c4545ab5dabe9ae65b9 1098444 net optional keystone_27.0.0.orig.tar.xz
5d6c15866a71d2a32c6378e353bdcbf2 68048 net optional keystone_27.0.0-3+deb13u4.debian.tar.xz
087d87a7764cd58ea159b7ca0e7280f2 18660 net optional keystone_27.0.0-3+deb13u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmom0tkACgkQ1BatFaxr
Q/7sJw//UKYUL5xG+UeNI1vKy9qzqcALlo9W4wwc2MHmIHe2m+LeDcYwLaxdaIuc
keROcX4KgDYzcxUnnJCs2QwFhWI2Nly4iFY7uxd3oo/sOcDhZM1PVj2FCtHO3h/L
Ih0o95UgkF8PEn/A1dcHJ4jmen3z/hl1I7PiWK+521F0PzbzDG8M4L8/C9n4hzmR
1npTLYhKTPwtpxYvLcny7VkSsMGH8ZKtEP/QfEJVeQmGS/giboj6TX7ZnIgBmgkb
pQWvFCOlpCfVgsNeEJVe4NC4sns/wpGQkZ5iCIB3N78URrbKeBijNAAcNeGG7Mho
FACznU89L2OrexPiSBExRJhrcIhqiq4wNysz6tfAXEBUuTNy4hjOFuCi2HsPYztY
tb+iCmaa8FCWpm1HPOVtYi1tjaH+YvfTUgSSgzKWqEqSz/W0IyosfooxASR3NBn2
DXdXtXu9WQLm5llmgsO7ewD9fgKOi3TfAVwhCWIdGzXPaOROJoFm5MqcBCmron9Q
szcfzyzgr8kZMPhe+Z+dEqMj9yioxNdiqf34Q6r5mvuL9wh6+tcV8Y63/TY/YEMj
gHlPHnoyK1o3I8r5v/6OZ8Edz8eupE8epFo9SuUjMT1Sx8NTK0O6esZajzkFYZ6g
DjIbIUjRz2G03KXnVXYYVlGQeTTd+XX5hskuGyrFn6+YTgXu8Yw=
=CwAK
-----END PGP SIGNATURE-----