High severity7.9NVD Advisory· Published May 1, 2026· Updated May 4, 2026

CVE-2026-43001

Description

An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
keystonePyPI	>= 13.0.0, <= 29.0.1	—

Affected products

OpenStack/Keystoneinferred2 versions
>=13,<29+ 1 more
- (no CPE)range: >=13,<29
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*range: >=13.0.0,<=19.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

review.opendev.org/c/openstack/keystone/+/985804nvdPatchWEB
bugs.launchpad.net/keystone/+bug/2149775nvdExploitIssue TrackingWEB
github.com/advisories/GHSA-hhq2-3832-xxcvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-43001ghsaADVISORY
review.opendev.org/c/openstack/keystoneghsaPACKAGE

News mentions

No linked articles in our index yet.

cvss	0.514
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000