Your message dated Thu, 15 Jan 2026 22:06:00 +0000
with message-id <[email protected]>
and subject line Bug#1125680: fixed in python-keystonemiddleware 10.12.0-3
has caused the Debian Bug report #1125680,
regarding CVE-2026-22797 / OSSA-2026-001: Privilege Escalation via Identity
Headers in External OAuth2 Tokens
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125680
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-keystonemiddleware
Version: 10.12.0-2
Severity: grave
Tags: patch
Copying official annoucement:
Date: January 15, 2026
CVE: CVE-2026-22797
Affects Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0
<10.12.1
Description
Grzegorz Grasza with Red Hat reported a vulnerability in the
external_oauth2_token middleware for keystonemiddleware. This middleware
fails to sanitize incoming authentication headers before processing OAuth
2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project,
X-Roles, or X-User-Id, an authenticated attacker may escalate privileges
or impersonate other users. All deployments using the external_oauth2_token
middleware are affected.
Patches:
https://review.opendev.org/973499 (2024.1/caracal)
https://review.opendev.org/973497 (2024.2/dalmatian)
https://review.opendev.org/973496 (2025.1/epoxy)
https://review.opendev.org/973495 (2025.2/flamingo)
https://review.opendev.org/973494 (2026.1/gazpacho)
Credits
Grzegorz Grasza from Red Hat (CVE-2026-22797)
References
https://launchpad.net/bugs/2129018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797
Notes:
The unmaintained/2024.1 branches will receive no new point releases, but
patches for them are provided as a courtesy.
This bug was possible because the middleware only conditionally set certain
headers (e.g., X-Is-Admin-Project was only set when the token had admin
privileges), leaving spoofed values intact when conditions were not met.
The fix adds a call to remove_auth_headers() at the start of request
processing to sanitize all incoming identity headers, matching the behavior
of the main auth_token middleware.
The external_oauth2_token middleware was introduced in keystonemiddleware
10.0.0.
--- End Message ---
--- Begin Message ---
Source: python-keystonemiddleware
Source-Version: 10.12.0-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-keystonemiddleware, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-keystonemiddleware
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 Jan 2026 08:51:19 +0100
Source: python-keystonemiddleware
Architecture: source
Version: 10.12.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1125680
Changes:
python-keystonemiddleware (10.12.0-3) unstable; urgency=high
.
* CVE-2026-22797: privilege escalation via spoofed identity headers. Applied
upstream patch: Fix privilege escalation via spoofed identity headers
(Closes: #1125680).
Checksums-Sha1:
26c7960c22ae2a387e52488461421533c6dda4b7 3170
python-keystonemiddleware_10.12.0-3.dsc
6d6db8a06d7248a468f256216fc16a15e08962c6 7316
python-keystonemiddleware_10.12.0-3.debian.tar.xz
1c2d64df86acbcfe6ba19df9ea8de7ffe43a3d30 19208
python-keystonemiddleware_10.12.0-3_amd64.buildinfo
Checksums-Sha256:
a8580e5a3270047962f820b008857147e4647b79ca968d3331a4eca987bfd6e5 3170
python-keystonemiddleware_10.12.0-3.dsc
00b8e8571a567a7a47cbff1638ea2fe2258c8bcab97baf47e5b77fab6b71302e 7316
python-keystonemiddleware_10.12.0-3.debian.tar.xz
21b380d3d298bd59ed8f86d74d94d98d624ebec6a1f3651a7a21ccb8ee3077c9 19208
python-keystonemiddleware_10.12.0-3_amd64.buildinfo
Files:
a372d617fbb259eff4cfb24a96f26e31 3170 python optional
python-keystonemiddleware_10.12.0-3.dsc
4fb03f329b5dee41c18ee52f31849128 7316 python optional
python-keystonemiddleware_10.12.0-3.debian.tar.xz
75a7711d245c68e9a24ce3625f99c523 19208 python optional
python-keystonemiddleware_10.12.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmlpYZIACgkQ1BatFaxr
Q/43+Q//b5tW9bq7wx0Q0PEZAV05IQriDo9CkC2xIYd2C2nHEGnFhHEserB3yFSw
4+Ll1/ZcSPGExax4Ws3CKtsC7VnMlrRusHnhqfIx+yRLeRe4jhjobBXK7gplBcVe
IXmKUljbQesJ8vRD0LURKy6CBoArsAoo6NiOCJDMSAoHZvOZS1/EXWTPr+A8Oegc
RNx0tp+rUC20C1W6kxN7PjLYn4Pz+KIL24jgzmL31T65oV/Qmu6tvsmF1uLt8j3Z
xeMQjbRnTrenznWPmlN+a+xOV73AmuGOfIwYDKyT+Xny5l2FkjL/1Bj+Rs5YrRe6
mg8Abiq50qtP5MR5nfyviAf/SOSSuNTze2irlqw2SWBdQ/TXS/GDtMcTWy82v4k5
mpJaJNfc3NzQ6Zu3phgf5tKNrGQRaEC+774WrhfO//gWretQkvHsxZ4flZuMF5/z
Aj8i7QT8hHOoAztZlMn3QGZA7cTavhXKmgegb2hc49AxrnIdha7N0L7ALBtxGuR3
wFKgayhdXW4lhd+qnyYzQf9HbDMUTFVntwE9G8yfiDDqXPLzCjIDg8XoouNpgtwJ
5aHx5KkpWLcr8USK71QTiPwhcr2XK4Gsqebq89wJF+t70jhCQAF/NhDHHWDlRSLp
3TE1t43zvrRrvZYSaBk1oIrncAfEfSgIaAxKmDOxGfkq6VW5tnI=
=ZQmy
-----END PGP SIGNATURE-----
pgp54KLnjrsiF.pgp
Description: PGP signature
--- End Message ---
