Critical severity9.9NVD Advisory· Published Jan 19, 2026· Updated Apr 15, 2026
CVE-2026-22797
CVE-2026-22797
Description
An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: 10.5-10.7 <10.7.2, 10.8-10.9 <10.9.1, 10.10-10.12 <10.12.1
- osv-coordsRange: < 10.12.0-2.1
Patches
Vulnerability mechanics
References
6News mentions
0No linked articles in our index yet.