Low severity3.5NVD Advisory· Published Apr 10, 2026· Updated Apr 13, 2026

CVE-2026-33551

Description

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
keystonePyPI	>= 14.0.0, < 26.1.1	26.1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-4phw-6824-6cfpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33551ghsaADVISORY
www.openwall.com/lists/oss-security/2026/04/07/12nvdWEB
bugs.launchpad.net/keystone/+bug/2142138nvdWEB
security.openstack.org/ossa/OSSA-2026-005.htmlnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000