Four Critical OpenStack Keystone Flaws Enable Privilege Escalation and Impersonation
Ubuntu security updates address multiple vulnerabilities in OpenStack Keystone that allow authenticated attackers to bypass role restrictions, impersonate users, and inject malicious policy attributes. Organizations running affected Ubuntu LTS releases should apply patches immediately.
TL;DR
- Application credential restrictions can be bypassed to create EC2 credentials with elevated privileges
- LDAP identity backend flaw allows attackers to authenticate as disabled users
- Authentication plugin fails to verify credential ownership, enabling user impersonation attacks
- Policy enforcer vulnerability permits JSON injection to overwrite trusted security attributes
Canonical has released security updates addressing four distinct vulnerabilities in OpenStack Keystone, the identity and access management service for OpenStack deployments. These flaws span authentication, authorization, and policy enforcement mechanisms, collectively enabling authenticated attackers to escalate privileges, impersonate other users, and manipulate security policies.
The vulnerabilities affect multiple Ubuntu LTS releases including 22.04, 24.04, and 25.10. Organizations operating OpenStack infrastructure should prioritize applying these patches to prevent unauthorized access and lateral movement within their cloud environments.
Privilege Escalation via Application Credentials
- CVE-2026-33551 allows restricted application credentials to create EC2 credentials, bypassing intended role limitations
- Authenticated users with only reader roles can exploit this to gain elevated access
- Affects the application credential lifecycle management in Keystone
Authentication Bypass and User Impersonation
- CVE-2026-40683: LDAP backend fails to properly convert user enabled attributes to boolean, allowing disabled users to authenticate
- CVE-2026-42998: Application credential authentication plugin does not validate that the supplied user matches the credential owner, enabling impersonation
- Attackers can gain unauthorized access to tokens and credentials of other users
Policy Injection and Attribute Manipulation
- CVE-2026-42998 (policy component): RBAC enforcer unconditionally merges raw JSON request bodies into policy dictionaries
- Attackers can inject arbitrary policy attributes and overwrite trusted security data
- Allows circumvention of intended access control policies
Affected Versions and Mitigation
- Ubuntu 22.04 LTS, 24.04 LTS, and 25.10 require immediate patching
- Apply USN-8433-1 security updates to OpenStack Keystone packages
- Review and audit application credentials and LDAP user configurations post-patch
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.