VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 6 CVEs

OpenStack: Six Medium-to-High CVEs Disclosed Across Neutron, Keystone, and Swift

Six vulnerabilities landed across OpenStack Neutron, Keystone, and Swift in a two-day disclosure window, including an RBAC bypass, a token-expiry flaw, and a Swift infinite-loop DoS rated High.

Key findings

  • Four of the six CVEs target Keystone, OpenStack's identity service
  • CVE-2026-42999: RBAC policy bypass via JSON body overwriting trusted target data
  • CVE-2026-42998: Application credential auth does not verify the user matches the credential owner
  • CVE-2026-43000: Member-to-admin escalation chain via credentials + trusts
  • CVE-2026-49017: Swift s3api infinite-loop DoS rated High, patched in 2.36.2/2.37.2
  • CVE-2026-49299: Neutron tag controller policy name mismatch lets project readers write tags

The OpenStack security team published six CVEs across three core projects — Neutron, Keystone, and Swift — between May 27 and May 28, 2026. The batch clusters around identity and access-control weaknesses in Keystone (four of the six), plus a policy-enforcement mismatch in Neutron and a denial-of-service bug in Swift's s3api middleware. Five of the six are rated Medium (CVSSv3 6.0); the Swift issue is rated High.

Keystone: Four Flaws in Identity and RBAC Logic

The largest share of the batch targets Keystone, OpenStack's identity service. CVE-2026-44394 affects federated token rescoping: when a federated user calls POST /v3/auth/tokens to rescope a token, the handle_scoped_token() function in the mapped authentication plugin does not propagate the original token's expiry to the newly issued token. This means a rescoped token can outlive the token it was derived from, extending a federated user's access window beyond what the identity provider intended. The fix ships in Keystone 29.0.2.

CVE-2026-42999 is an RBAC policy-enforcement bypass. The Keystone policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. An attacker can craft a request body that overrides the resource target fields the policy engine relies on, potentially gaining access to resources they should not be able to touch. This is a classic "parameter shadowing" pattern in policy engines.

CVE-2026-42998 addresses an application credential authentication gap. The Keystone application credential plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker who possesses a valid application credential ID and secret can authenticate as any user they specify in the request, effectively impersonating arbitrary identities. This bypasses the intended binding between an application credential and its owner.

CVE-2026-43000 describes a privilege-escalation chain. When combined with an application credential impersonation vulnerability (such as CVE-2026-42998), an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, and the trust mechanism elevates the effective role. The fix in Keystone 29.0.2 addresses the underlying trust-and-credential interaction.

Neutron: Policy Name Mismatch in Tagging Controller

CVE-2026-49299 affects Neutron (networking service) before version 28.0.1. The tagging controller enforces plural policy action names on single-tag write operations, while the defined policy rules use singular names. Because the mismatched names evaluate as "allowed" under the default policy, a project reader — who should only have read access — can create and update tags on same-project resources. This is a low-complexity bypass that undermines the principle of least privilege for tag management.

Swift: Infinite-Loop DoS in s3api Middleware

CVE-2026-49017 is the batch's single High-severity finding, affecting Swift (object storage) before versions 2.36.2 and 2.37.2. The s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing memory consumption. An attacker can trigger this with a single crafted HTTP request, effectively consuming a worker thread indefinitely — a straightforward denial-of-service vector against Swift clusters.

Patch Status and Mitigations

All six CVEs have fixes available in the respective project release streams:

  • Neutron: patched in 28.0.1.
  • Keystone: patched in 29.0.2.
  • Swift: patched in 2.36.2 and 2.37.2.

Operators should upgrade to the patched versions. For deployments that cannot upgrade immediately, the Keystone team recommends reviewing application credential policies and trust configurations as a partial mitigation for the escalation chain in CVE-2026-43000. No in-the-wild exploitation has been reported for any of these CVEs as of the disclosure date.

Why This Batch Matters

Four of the six CVEs live in Keystone, the linchpin of OpenStack identity and authorization. The RBAC parameter-shadowing bug (CVE-2026-42999) and the application-credential authentication gap (CVE-6-42998) are particularly concerning because they can be chained — as CVE-2026-43000 explicitly demonstrates — to turn a low-privilege member role into full admin access. Cloud operators running federated identity or application-credential workflows should prioritize the Keystone 29.0.2 update. The Swift infinite-loop DoS (CVE-2026-49017) is a separate concern for object-storage-heavy deployments, as a single unauthenticated (or low-privilege) PUT request can pin a proxy worker indefinitely.

AI-written article. Grounded in 6 CVE records listed below.