CVE-2026-42998
Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenStack Keystone application credential authentication does not verify user ownership, allowing token impersonation of any project user.
Vulnerability
In OpenStack Keystone before versions 27.0.2, 28.0.2, and 29.0.2, the application credential authentication plugin does not verify that the user specified in the POST /v3/auth/tokens request body matches the owner of the application credential. An attacker holding a valid application credential (ID and secret) on a project can authenticate while providing a different user's name and domain in the user field. Keystone then issues a token attributed to the victim user. All Keystone versions from 14.0.0 up to the fixed releases are affected [1][2].
Exploitation
The attacker only needs a valid application credential on a shared project. The attacker authenticates with their own application credential ID and secret, but includes a user payload containing the victim's username and domain. No knowledge of the victim's password or UUID is required. The victim must have at least one role on the attacker's project that matches a role in the attacker's application credential. The attacker can optionally set unrestricted to true in their application credential, which is permitted for any user, enabling further escalation via trusts [1].
Impact
On success, the attacker receives a project-scoped token impersonating the victim. The token carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables the attacker to act as the victim within the project at the attacker's privilege level, allowing audit evasion, reading the victim's credentials and secrets, revoking the victim's tokens, and deleting the victim's trusts and access rules. When combined with trusts (by creating a trust naming the victim as trustor), the attacker can further escalate privileges from member to admin, gaining sustained access independent of the original impersonation [1].
Mitigation
Fixed versions are 27.0.2 (2025.1/epoxy branch), 28.0.2 (2025.2/flamingo branch), and 29.0.2 (current release). Patches were released on May 28, 2026 [2]. Deployers should upgrade immediately. No workaround is available. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.