Source: python-keystonemiddleware
Version: 10.12.0-2
Severity: grave
Tags: patch
Copying official annoucement:
Date: January 15, 2026
CVE: CVE-2026-22797
Affects Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0
<10.12.1
Description
Grzegorz Grasza with Red Hat reported a vulnerability in the
external_oauth2_token middleware for keystonemiddleware. This middleware
fails to sanitize incoming authentication headers before processing OAuth
2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project,
X-Roles, or X-User-Id, an authenticated attacker may escalate privileges
or impersonate other users. All deployments using the external_oauth2_token
middleware are affected.
Patches:
https://review.opendev.org/973499 (2024.1/caracal)
https://review.opendev.org/973497 (2024.2/dalmatian)
https://review.opendev.org/973496 (2025.1/epoxy)
https://review.opendev.org/973495 (2025.2/flamingo)
https://review.opendev.org/973494 (2026.1/gazpacho)
Credits
Grzegorz Grasza from Red Hat (CVE-2026-22797)
References
https://launchpad.net/bugs/2129018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797
Notes:
The unmaintained/2024.1 branches will receive no new point releases, but
patches for them are provided as a courtesy.
This bug was possible because the middleware only conditionally set certain
headers (e.g., X-Is-Admin-Project was only set when the token had admin
privileges), leaving spoofed values intact when conditions were not met.
The fix adds a call to remove_auth_headers() at the start of request
processing to sanitize all incoming identity headers, matching the behavior
of the main auth_token middleware.
The external_oauth2_token middleware was introduced in keystonemiddleware
10.0.0.
