OpenStack Keystone <29.0.2: Rescope Token Exploit to Bypass Expiry
CVE-2026-44394 Published on May 28, 2026
An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
Vulnerability Analysis
CVE-2026-44394 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-44394 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-44394
Want to know whenever a new CVE is published for OpenStack Keystone? stack.watch will email you.
Affected Versions
OpenStack Keystone:- Version 14.0.0 and below 27.0.2 is affected.
- Version 28.0.0 and below 28.0.2 is affected.
- Version 29.0.0 and below 29.0.2 is affected.