CVE-2026-43000

Vulnerability

OpenStack Keystone versions >=14.0.0 <27.0.2, >=28.0.0 <28.0.2, and >=29.0.0 <29.0.2 are affected by CVE-2026-43000 [2]. The vulnerability arises when an attacker, holding a valid application credential on a project, authenticates to the POST /v3/auth/tokens endpoint without the endpoint verifying that the specified user matches the credential owner [1]. By including a victim's user identity in the payload, the attacker obtains a token attributed to the victim. If the attacker created the application credential with unrestricted set to true, the impersonated token can be used to create a trust naming the victim as trustor and the attacker as trustee [1]. Keystone validates the trustor against the impersonated token's identity, which passes, but then checks delegated roles against the victim's actual database assignments, not the token's roles, allowing delegation of roles the victim holds but the attacker does not [1].

Exploitation

An attacker with the member role on a project can impersonate a victim who shares that project [1]. The attacker creates an application credential with unrestricted=true, then calls POST /v3/auth/tokens supplying their own credential ID and secret but with the victim's username and domain in the user field [1]. The resulting impersonated token is project-scoped, carrying the intersection of the credential's roles and the victim's actual roles [1]. The attacker then uses this token to create a trust, naming the victim as trustor and the attacker as trustee, delegating the victim's admin role to the attacker [1]. The trust persists independently, and the attacker can create additional trusts and application credentials to maintain access [1]. All actions are logged under the victim's identity [1].

Impact

Successful exploitation allows the attacker to escalate their privilege from member to admin within the project [1]. Once admin, the attacker gains full control over project resources, can read and revoke credentials, delete the victim's trusts and access rules, and evade audit trails because actions are attributed to the victim [1]. The trust persists independently, enabling long-term unauthorized access [1].

Mitigation

Fixed versions are 27.0.2, 28.0.2, and 29.0.2 [2]. Patches are available via OpenDev review links [2]. Upgrading to these or later versions (>=27.0.2, >=28.0.2, >=29.0.2) resolves the issue [2]. No workarounds are documented in the provided references. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.