Critical severity9.9NVD Advisory· Published Jan 19, 2026· Updated Apr 15, 2026

CVE-2026-22797

Description

An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.

Affected products

Pachno/Keystonemiddlewareinferred
Range: >=10.5,<10.7.2, >=10.8,<10.9.1, >=10.10,<10.12.1
Package: https://pypi.org/project/keystonemiddleware

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/01/15/1nvd
www.openwall.com/lists/oss-security/2026/01/16/2nvd
www.openwall.com/lists/oss-security/2026/01/16/3nvd
www.openwall.com/lists/oss-security/2026/01/16/9nvd
launchpad.net/bugs/2129018nvd
www.openwall.com/lists/oss-security/2026/01/16/9nvd

News mentions

No linked articles in our index yet.

cvss	0.643
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000