2482825 – (CVE-2026-42998) CVE-2026-42998 openstack-keystone: OpenStack Keystone: User impersonation and unauthorized access via insufficient application credential verification.

Bug 2482825 (CVE-2026-42998) - CVE-2026-42998 openstack-keystone: OpenStack Keystone: User impersonation and unauthorized access via insufficient application credential verification.

Summary: CVE-2026-42998 openstack-keystone: OpenStack Keystone: User impersonation and...

Keywords:
Status:	NEW
Alias:	CVE-2026-42998
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-28 19:01 UTC by OSIDB Bzimport
Modified:	2026-06-03 22:56 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-28 19:01:31 UTC

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects.

Note You need to log in before you can comment on or make changes to this bug.