OpenStack Keystone Pre-29.0.2 Priv Esc via Impersonation + Trust
CVE-2026-43000 Published on May 28, 2026
An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
Vulnerability Analysis
CVE-2026-43000 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-43000 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-43000
Want to know whenever a new CVE is published for OpenStack Keystone? stack.watch will email you.
Affected Versions
OpenStack Keystone:- Version 14.0.0 and below 27.0.2 is affected.
- Version 28.0.0 and below 28.0.2 is affected.
- Version 29.0.0 and below 29.0.2 is affected.