Home / mailingsPDF  

[USN-8433-1] OpenStack Keystone vulnerabilities

Posted on 16 June 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8433-1
June 16, 2026

keystone vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in OpenStack Keystone.

Software Description:
- keystone: OpenStack identity service

Details:

It was discovered that OpenStack Keystone allowed restricted application
credentials to create EC2 credentials. An authenticated attacker with only
a reader role could possibly use this issue to bypass the role restrictions
imposed on the application credential. (CVE-2026-33551)

It was discovered that the OpenStack Keystone LDAP identity backend did
not correctly convert the user enabled attribute to a boolean value.
An attacker could possibly use this issue to authenticate as a user disabled
in LDAP. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 25.10. (CVE-2026-40683)

It was discovered that OpenStack Keystone's application credential
authentication plugin did not verify that the user supplied in an
authentication request matched the credential owner. An authenticated
attacker could possibly impersonate another user and gain access to their
tokens and credentials. (CVE-2026-42998)

It was discovered that OpenStack Keystone's RBAC policy enforcer
unconditionally merged the raw JSON request body into the policy enforcement
dictionary, overwriting trusted target data. An authenticated attacker could
possibly use this issue to inject arbitrary policy attributes to bypass RBAC
checks. (CVE-2026-42999)

It was discovered that OpenStack Keystone allowed an attacker with the member
role to escalate privileges to admin by chaining application credential
impersonation with Keystone trusts. An attacker could possibly use this
issue to create a persistent trust delegating the victim's admin role to
themselves. (CVE-2026-43000)

It was discovered that OpenStack Keystone did not validate that the project_id
for an EC2 credential matched the project of the authenticating application
credential. An attacker with valid credentials for one project could possibly
use this issue to create EC2 credentials targeting a different project.
(CVE-2026-43001)

It was discovered that OpenStack Keystone's federated token rescoping mechanism
did not propagate the original token's expiry to the newly issued token. A
remote attacker could possibly use this issue to maintain access indefinitely by
repeatedly rescoping tokens before expiry. (CVE-2026-44394)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
keystone 2:29.0.0-0ubuntu1.2
keystone-common 2:29.0.0-0ubuntu1.2
keystone-doc 2:29.0.0-0ubuntu1.2
python3-keystone 2:29.0.0-0ubuntu1.2

Ubuntu 25.10
keystone 2:28.0.0-0ubuntu1.3
keystone-common 2:28.0.0-0ubuntu1.3
keystone-doc 2:28.0.0-0ubuntu1.3
python3-keystone 2:28.0.0-0ubuntu1.3

Ubuntu 24.04 LTS
keystone 2:25.0.0-0ubuntu1.4
keystone-common 2:25.0.0-0ubuntu1.4
keystone-doc 2:25.0.0-0ubuntu1.4
python3-keystone 2:25.0.0-0ubuntu1.4

Ubuntu 22.04 LTS
keystone 2:21.0.1-0ubuntu2.4
keystone-common 2:21.0.1-0ubuntu2.4
keystone-doc 2:21.0.1-0ubuntu2.4
python3-keystone 2:21.0.1-0ubuntu2.4

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8433-1
CVE-2026-33551, CVE-2026-40683, CVE-2026-42998, CVE-2026-42999,
CVE-2026-43000, CVE-2026-43001, CVE-2026-44394

Package Information:
https://launchpad.net/ubuntu/+source/keystone/2:29.0.0-0ubuntu1.2
https://launchpad.net/ubuntu/+source/keystone/2:28.0.0-0ubuntu1.3
https://launchpad.net/ubuntu/+source/keystone/2:25.0.0-0ubuntu1.4
https://launchpad.net/ubuntu/+source/keystone/2:21.0.1-0ubuntu2.4

--===============2496422967298876040==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :