Incorrect Authorization Affecting openstack-keystone-2025.1 package, versions <27.0.1_git20260618-r6


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.33% (25th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-OPENSTACKKEYSTONE20251-17816699
  • published4 Jul 2026
  • disclosed28 May 2026

Introduced: 28 May 2026

CVE-2026-43000  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade Chainguard openstack-keystone-2025.1 to version 27.0.1_git20260618-r6 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream openstack-keystone-2025.1 package and not the openstack-keystone-2025.1 package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.

CVSS Base Scores

version 3.1