Incorrect Privilege Assignment The advisory has been revoked - it doesn't affect any version of package openstack-keystone  (opens in a new tab)


Threat Intelligence

EPSS
0.22% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL10-OPENSTACKKEYSTONE-16065718
  • published15 Apr 2026
  • disclosed7 Apr 2026

Introduced: 7 Apr 2026

CVE-2026-33551  (opens in a new tab)
CWE-266  (opens in a new tab)

Amendment

The Red Hat security team deemed this advisory irrelevant for RHEL:10.

NVD Description

Note: Versions mentioned in the description apply only to the upstream openstack-keystone package and not the openstack-keystone package as distributed by RHEL.

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.