------------------------------------------------------------------------- Debian LTS Advisory DLA-4611-1 [email protected] https://www.debian.org/lts/security/ Santiago Ruano Rincón May 31, 2026 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : keystone
Version : 2:18.1.0-1+deb11u3
CVE ID : CVE-2026-33551 CVE-2026-40683 CVE-2026-42998 CVE-2026-42999
CVE-2026-43000 CVE-2026-43001 CVE-2026-44394
Debian Bug : 1133118 1133884 1135645
Multiple vulnerabilities have been found in Keystone, the OpenStack identity
service, including privilege escalation and authorization and access
control flaws.
CVE-2026-33551
An authenticated user with only a reader role may obtain an EC2/S3
credential that carries the full set of the parent user's S3
permissions, bypassing the role restrictions imposed on the
application credential. Only deployments that use restricted application
credentials in combination with the EC2/S3 compatibility API
(swift3/s3api) are affected. Reported by Maxence Bornecque, from
Orange Cyberdefense CERT Vulnerability Intelligence Watch Team.
CVE-2026-40683
LDAP identity backend does not convert enabled attribute to boolean. When
the user_enabled_invert configuration option was False (the default),
Keystone did not correctly interpret the LDAP enabled attribute, causing
users disabled in LDAP to be treated as enabled and allowed to
authenticate. Deployments using the LDAP identity backend without
user_enabled_invert=True or user_enabled_emulation are affected.
Independently reported by Benedikt Trefzer and Andrew Bogott.
CVE-2026-42998
Application credential authentication does not verify the caller owns
the credential, allowing user impersonation within a shared project.
Reported by Boris Bobrov, from SAP SE.
CVE-2026-42999
An attacker can inject RBAC policy targets via the JSON request body,
bypassing authorization on any policy-protected endpoint. Allows
reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. Reported by Boris Bobrov,
from SAP SE.
CVE-2026-43000
The impersonation from CVE-2026-42998 can be chained with trusts to
escalate from member to admin. The resulting trust persists
independently of the original credential. Reported by Boris Bobrov, from
SAP SE.
CVE-2026-43001
Application credentials scoped to one project can create EC2
credentials for a different project. Reported by Tim Shepherd,
roiai.ca.
CVE-2026-44394
Federated users can maintain access indefinitely by repeatedly
re-scoping tokens before expiry. Each re-scope issues a fresh full-TTL
token instead of inheriting the original expiry. Only SAML2/OIDC
deployments are affected. Reported by Erichen, Institute of Computing
Technology, Chinese Academy of Sciences.
For Debian 11 bullseye, these problems have been fixed in version
2:18.1.0-1+deb11u3.
We recommend that you upgrade your keystone packages.
For the detailed security status of keystone please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/keystone
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
signature.asc
Description: PGP signature
