OpenStack Keystone 14-26,27,28,29: Restricted App Creds Escalate EC2/S3
CVE-2026-33551 Published on April 10, 2026
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-33551 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-33551
Want to know whenever a new CVE is published for OpenStack Keystone? stack.watch will email you.
Affected Versions
OpenStack Keystone:- Version 14.0.0 and below 26.1.1 is affected.
- Version 27.0.0 is affected.
- Version 28.0.0 is affected.
- Version 29.0.0 is affected.