{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-33551", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-10T03:07:01.673Z", "dateReserved": "2026-03-22T00:00:00.000Z", "datePublished": "2026-04-10T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Keystone", "vendor": "OpenStack", "versions": [{"lessThan": "26.1.1", "status": "affected", "version": "14.0.0", "versionType": "semver"}, {"status": "affected", "version": "27.0.0", "versionType": "semver"}, {"status": "affected", "version": "28.0.0", "versionType": "semver"}, {"status": "affected", "version": "29.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T02:02:56.184Z"}, "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2142138"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0.0", "versionEndExcluding": "26.1.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "27.0.0", "versionEndIncluding": "27.0.0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "28.0.0", "versionEndIncluding": "28.0.0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "29.0.0", "versionEndIncluding": "29.0.0"}]}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T03:07:01.673Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."}], "id": "CVE-2026-33551", "lastModified": "2026-04-10T04:17:15.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-10T03:16:02.723", "references": [{"source": "cve@mitre.org", "url": "https://bugs.launchpad.net/keystone/+bug/2142138"}, {"source": "cve@mitre.org", "url": "https://security.openstack.org/ossa/OSSA-2026-005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[14.0.0,26.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "27.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "28.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "29.0.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Keystone", "source": "cna", "vendor": "OpenStack"}, "product": "keystone", "vendor": "openstack"}], "analysis": {"en": {"generated_at": "2026-04-10T03:21:55.602362+00:00", "value": {"mitigation_remediation": ["Upgrade OpenStack Keystone to version 26.1.1 or newer, including 27.x, 28.x, and 29.x releases, following the official security update.", "If an immediate upgrade is not possible, disable or avoid the use of EC2/S3 compatibility APIs (swift3 / s3api) with restricted application credentials.", "Verify the current Keystone version and confirm it is not within the affected range.", "Apply any vendor-recommended configuration changes as outlined in the OpenStack OSSA advisory."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized EC2/S3 credentials obtained through restricted application credentials"}, "threat_synthesis": {"affected_systems": "OpenStack Keystone deployments that use restricted application credentials together with the EC2/S3 compatibility API (swift3 / s3api) are affected. The vulnerability exists in Keystone releases 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Systems running later versions or that do not use the compatibility API are not impacted.", "description_and_impact": "An issue in OpenStack Keystone versions 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0 allows an authenticated user who holds only a reader role to use a restricted application credential to create EC2 credentials. Because the API client does not enforce the parent credential's restrictions, the resulting EC2/S3 credential contains the full set of permissions assigned to the parent user. This bypasses the intended role limits of the application credential, giving the attacker unauthorized access to S3 resources. The weakness is a privilege escalation flaw, identified as CWE-863.", "risk_and_exploitability": "The CVSS score for this flaw is 3.5, indicating a low severity assessment, and the EPSS score is not available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user with an application-restricted credential; the attacker can then invoke the EC2 credential creation endpoint to obtain elevated S3 permissions. While the impact is limited to the confines of the Keystone deployment and requires prior authorization, the ability to obtain full parent permissions can have significant consequences for data confidentiality."}}}}, "created": "2026-04-10T08:36:22.771848+00:00", "title": "Privilege Escalation via Restricted Application Credentials in OpenStack Keystone", "updated": "2026-04-10T09:27:22.607833+00:00", "vendors": ["openstack", "openstack$PRODUCT$keystone"]}