{ "threat_severity" : "Moderate", "public_date" : "2026-04-14T20:05:03Z", "bugzilla" : { "description" : "OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling", "id" : "2458472", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458472" }, "cvss3" : { "cvss3_base_score" : "7.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-843", "details" : [ "A flaw was found in OpenStack Keystone. When using the LDAP identity backend, the system incorrectly processes the user enabled attribute if the user_enabled_invert configuration option is set to False. This error causes users marked as disabled in LDAP to be treated as enabled within Keystone, allowing them to authenticate and perform actions despite their disabled status. This can lead to unauthorized access to resources." ], "statement" : "There's a flaw in OpenStack Keystone's LDAP identity backend allows unauthorized access. When the `user_enabled_invert` configuration option is set to its default of `False`, users marked as disabled in LDAP are incorrectly treated as enabled within Keystone. This enables them to authenticate and perform actions, affecting Red Hat OpenStack Platform deployments utilizing the LDAP identity backend without `user_enabled_invert=True` or `user_enabled_emulation` configured.\nThis flaw happens due to the fact that any non-empty string in the Python programing language are handled as `True`, openstack-keystone lacks the proper conversion from string to boolean type when reading the user enabled LDAP attribute when the `user_enabled_invert` configuration is set to false, this will lead to any previously existing user which is disabled in the LDAP side will be handled as enabled by the OpenStack Keystone.\nRed Hat Product Security has rated this flaw as having the severity of Moderate as for exploiting this flaw the attacker needs to have a previous access to the targeted system, additionally the impact will be limited to the same level of access the attacker had previously it had its user disabled in the LDAP side.", "package_state" : [ { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Affected", "package_name" : "rhosp13/openstack-keystone", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Affected", "package_name" : "openstack-keystone", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Affected", "package_name" : "rhosp-rhel8/openstack-keystone", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 17.1", "fix_state" : "Affected", "package_name" : "openstack-keystone", "cpe" : "cpe:/a:redhat:openstack:17.1" }, { "product_name" : "Red Hat OpenStack Platform 17.1", "fix_state" : "Affected", "package_name" : "rhosp-rhel9/openstack-keystone", "cpe" : "cpe:/a:redhat:openstack:17.1" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Affected", "package_name" : "openstack-keystone", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Affected", "package_name" : "rhoso/openstack-keystone-rhel9", "cpe" : "cpe:/a:redhat:openstack:18.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40683\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40683\nhttps://bugs.launchpad.net/keystone/+bug/2121152\nhttps://bugs.launchpad.net/keystone/+bug/2141713\nhttps://review.opendev.org/958205\nhttps://www.openwall.com/lists/oss-security/2026/04/14/9" ], "name" : "CVE-2026-40683", "mitigation" : { "value" : "To mitigate this issue, configure OpenStack Keystone to correctly interpret the LDAP user enabled attribute. Set the `user_enabled_invert` option to `True` in the `keystone.conf` file.\nExample:\n```ini\n[ldap]\nuser_enabled_invert = True\n```\nAfter modifying the configuration, restart the Keystone service for the changes to take effect. This may temporarily disrupt authentication services.\nAdditionally the user should start using an LDAP attribute with inverted semantics (such as nsAccountLock) to match the same semantics of the keystone side.", "lang" : "en:us" }, "csaw" : false }