CVE-2020-12690
Description
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In OpenStack Keystone before 15.0.1 and 16.0.0, the OAuth1 API ignores the roles parameter, causing tokens with unintended escalated privileges.
Vulnerability
CVE-2020-12690 is a vulnerability in OpenStack Keystone's OAuth1 token API. When an OAuth1 access token is created, the list of roles provided by the user is silently ignored. Instead, when the access token is later used to request a Keystone token, the resulting token includes all role assignments that the creator had for the project, not just the specified subset [1][2].
Exploitation
An attacker who can create an OAuth1 access token for a project can exploit this by obtaining a Keystone token that grants more privileges than intended. The attack does not require special network access beyond being able to interact with the Keystone API, and the attacker must have some role assignment on the project to begin with [3].
Impact
Successful exploitation leads to privilege escalation: the attacker gains a token with every role assignment the creator held for the project, potentially allowing unauthorized access to resources or actions that the creator did not intend to delegate [4].
Mitigation
The vulnerability is fixed in Keystone 15.0.1 and later versions. Users running Keystone 16.0.0 should upgrade to a patched version. No workaround is documented; applying the patch is recommended [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keystonePyPI | < 15.0.1 | 15.0.1 |
keystonePyPI | >= 16.0.0.0rc1, < 16.0.0 | 16.0.0 |
Affected products
2- OpenStack/Keystonedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-6m8p-x4qw-gh5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-12690ghsaADVISORY
- usn.ubuntu.com/4480-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.openwall.com/lists/oss-security/2020/05/07/3ghsamailing-listx_refsource_MLISTWEB
- bugs.launchpad.net/keystone/+bug/1873290ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2020-54.yamlghsaWEB
- lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2@%3Ccommits.druid.apache.org%3EghsaWEB
- security.openstack.org/ossa/OSSA-2020-005.htmlghsax_refsource_CONFIRMWEB
- usn.ubuntu.com/4480-1ghsaWEB
- www.openwall.com/lists/oss-security/2020/05/06/6ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.