VYPR
← All advisories
Medium severity6.0NVD Advisory· Published May 28, 2026

CVE-2026-42999

CVE-2026-42999

Description

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users can inject arbitrary RBAC policy targets via JSON request body to bypass authorization in OpenStack Keystone.

Vulnerability

An issue exists in OpenStack Keystone's RBAC policy enforcer in the enforce_call method (file keystone/common/rbac_enforcer/enforcer.py, lines 478-479). The method unconditionally merges the raw JSON request body into the policy enforcement dictionary using policy_dict.update(json_input.copy()) after trusted target data has been set from database lookups. Because flask.request.get_json is called with force=True, JSON parsing occurs regardless of the Content-Type header or HTTP method (including GET, HEAD, DELETE). This allows any authenticated user to overwrite the "target" key in the policy dictionary with attacker-controlled values. Affected versions: Keystone >=14.0.0 (Rocky) up to <27.0.2, >=28.0.0 <28.0.2, >=29.0.0 <29.0.2 [1][2].

Exploitation

An attacker needs only an authenticated session to any Keystone endpoint. They send a request with a JSON body containing a "target" key with arbitrary attributes (e.g., user_id, project_id) set to values that match their own token credentials. The policy engine then uses these injected values instead of the real database-sourced data for RBAC comparisons. The actual API handler still reads resource identifiers from the URL path (flask.request.view_args), so the operation executes against the victim's resource while the policy check passes for the attacker [1].

Impact

Successful exploitation allows an authenticated attacker to bypass RBAC checks on any policy-protected endpoint. This can lead to reading every credential secret in the system (including EC2 access/secret keys and certificates), creating EC2 credentials for arbitrary users and authenticating as them, reading any user's profile and project memberships, listing all users and groups across all domains, reading any project or domain details, deleting any user's credentials or application credentials, creating or revoking role grants across domain boundaries, granting inherited admin roles on foreign domains, adding or removing users from groups in other domains, and deleting users and projects. Essentially, the attacker can escalate to cloud admin privileges [1][2].

Mitigation

The vulnerability is fixed in Keystone versions 27.0.2, 28.0.2, and 29.0.2, released on May 28, 2026 [2]. Patches are available via OpenDev reviews (e.g., https://review.opendev.org/990500 for 2025.1/epoxy). All deployments running Keystone >=14.0.0 should upgrade immediately. No workaround is available; the fix prevents the JSON body from overwriting trusted target data. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication [2].

References
  1. Bug #2148398 “[OSSA-2026-015] RBAC Policy Target Injection via J...” : Bugs : OpenStack Identity (keystone)
  2. Multiple credential delegation and authorization bypass vulnerabilities in Keystone — OpenStack Security Advisories 0.0.1.dev334 documentation

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenStack/Keystoneinferred2 versions
    <29.0.2+ 1 more
    • (no CPE)range: <29.0.2
    • (no CPE)range: <29.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"User-controlled JSON request body is merged into the policy enforcement dictionary after trusted database-sourced target data, overwriting security-critical keys."

Attack vector

An authenticated attacker sends an HTTP request to any vulnerable Keystone endpoint that calls `enforce_call` and whose policy rule contains a `%(target.*)s` or `%(user_id)s` substitution. The attacker includes a JSON body with a `"target"` key containing attacker-controlled values (e.g., `{"target":{"credential":{"user_id":"ATTACKER_USER_ID"}}}`). Because `get_json` is called with `force=True`, the JSON body is parsed regardless of Content-Type or HTTP method (including GET, HEAD, DELETE). The `dict.update` overwrites the database-sourced target data with the attacker's values, so the policy check compares against attacker-supplied attributes instead of real database data. The policy check passes, but the API handler still reads resource identifiers from the URL path, so the operation executes against the victim's resource [ref_id=1].

Affected code

The vulnerability is in `keystone/common/rbac_enforcer/enforcer.py` at lines 478-479, in the `enforce_call` method. The code calls `flask.request.get_json(force=True, silent=True)` to parse the raw JSON request body, then unconditionally merges it into the policy enforcement dictionary via `policy_dict.update(json_input.copy())`. This overwrites trusted target data that was previously set from database lookups [ref_id=1].

What the fix does

The advisory does not include a specific patch diff, but describes the required fix approach. The root cause is that user-controlled data (the JSON request body) is merged into the policy enforcement dictionary after trusted database-sourced target attributes have been set, using a dict method that overwrites existing keys. The fix must either prevent the JSON body from overwriting security-critical keys, or namespace user input separately so it cannot collide with internal policy data [ref_id=1].

Preconditions

  • authAttacker must have a valid authentication token for any Keystone user (no specific role required)
  • networkAttacker must be able to send HTTP requests to the Keystone API endpoint
  • configThe endpoint must call enforce_call with a policy rule containing %(target.*)s or %(user_id)s substitution
  • inputAttacker sends a JSON body with a 'target' key containing attacker-controlled attribute values

Reproduction

The advisory provides reproduction steps. For example, to harvest every credential in the deployment, an attacker with any valid token sends: `curl -s -X GET -H "X-Auth-Token: ATTACKER_TOKEN" -H "Content-Type: application/json" -d '{"target":{"credential":{"user_id":"ATTACKER_USER_ID"}}}' http://KEYSTONE:5000/v3/credentials`. The response contains every credential in the system including plaintext EC2 access/secret keys [ref_id=1].

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.