Keystone /v3/credentials Unvalidated project_id Enables EC2 Token Cross-Project Lateral Movement
CVE-2026-43001 Published on May 1, 2026
An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
Vulnerability Analysis
CVE-2026-43001 can be exploited with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-43001 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-43001
Want to know whenever a new CVE is published for OpenStack Keystone? stack.watch will email you.
Affected Versions
OpenStack Keystone:- Version 13, <= 29 is affected.