CVE-2026-33551

LOW 3.5

CVSS Score

3.5

EPSS Score

0.0%

EPSS Percentile

6th

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.

CWE	CWE-863
Vendor	openstack
Product	keystone
Published	Apr 10, 2026
Last Updated	Apr 10, 2026

Stay Ahead of the Next One

Get instant alerts for openstack keystone

Be the first to know when new low vulnerabilities affecting openstack keystone are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

OpenStack / Keystone

14.0.0 < 26.1.1 27.0.0 28.0.0 29.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

bugs.launchpad.net: https://bugs.launchpad.net/keystone/+bug/2142138 security.openstack.org: https://security.openstack.org/ossa/OSSA-2026-005.html openwall.com: http://www.openwall.com/lists/oss-security/2026/04/07/12