CVE-2026-42999
Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8- osv-coords5 versionspkg:apk/chainguard/openstack-keystone-2025.1-fipspkg:apk/chainguard/openstack-keystone-2025.2pkg:apk/chainguard/openstack-keystone-2025.2-fipspkg:apk/chainguard/openstack-keystone-2026.1pkg:apk/chainguard/openstack-keystone-2026.1-fips
< 27.0.1_git20260618-r7+ 4 more
- (no CPE)range: < 27.0.1_git20260618-r7
- (no CPE)range: < 28.0.1_git20260618-r5
- (no CPE)range: < 28.0.1_git20260618-r5
- (no CPE)range: < 29.0.1_git20260616-r6
- (no CPE)range: < 29.0.1_git20260617-r6
Patches
Vulnerability mechanics
References
2- bugs.launchpad.net/keystone/+bug/2148398nvdExploitIssue TrackingThird Party AdvisoryPatch
- security.openstack.org/ossa/OSSA-2026-015.htmlnvdVendor AdvisoryPatch
News mentions
1- OpenStack: Six Medium-to-High CVEs Disclosed Across Neutron, Keystone, and SwiftVypr Intelligence · May 28, 2026