{
  "threat_severity" : "Important",
  "public_date" : "2026-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "OpenStack Keystone: OpenStack Keystone: Unauthorized cross-project access due to improper validation in EC2 credential creation",
    "id" : "2464305",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464305"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1288",
  "details" : [ "An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.", "A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied project_id for an EC2-type credential was not validated against the project of the authenticating application credential. This allows the attacker to create an EC2 credential targeting a different project. Subsequently, a /v3/ec2tokens exchange would issue a Keystone token scoped to the targeted project, enabling unauthorized cross-project access and lateral movement within the credential owner's role footprint." ],
  "statement" : "This flaw in OpenStack Keystone allows an attacker with an unrestricted application credential to bypass project isolation. By exploiting improper validation during EC2 credential creation, an attacker can gain unauthorized access and move laterally between projects within a Red Hat OpenStack Platform deployment, compromising multi-tenant security. If the roles from the original project the attacker holds a credential are compatible with the roles in the project the attacker is targeting, the attacker can perform the same actions granted permission from the initial project in the targeted project. Depending on the level of privileges the attacker has that means a high impact for confidentiality, availability and integrity.",
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-keystone",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Affected",
    "package_name" : "openstack-keystone",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-rhel8/openstack-keystone",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1",
    "fix_state" : "Affected",
    "package_name" : "openstack-keystone",
    "cpe" : "cpe:/a:redhat:openstack:17.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-rhel9/openstack-keystone",
    "cpe" : "cpe:/a:redhat:openstack:17.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Affected",
    "package_name" : "openstack-keystone",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Not affected",
    "package_name" : "rhoso/openstack-keystone-rhel9",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43001\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43001\nhttps://bugs.launchpad.net/keystone/+bug/2149775\nhttps://review.opendev.org/c/openstack/keystone/+/985804" ],
  "name" : "CVE-2026-43001",
  "mitigation" : {
    "value" : "To reduce exposure, ensure that OpenStack application credentials are created with the most restrictive scope possible, limiting their permissions to only what is essential for their intended function. If EC2 credentials are not actively used within your OpenStack deployment, consider disabling the EC2 credential API endpoint in Keystone to prevent unauthorized creation of cross-project EC2 credentials. Refer to the OpenStack Keystone administration guide for detailed instructions on managing application credential scopes and disabling API endpoints. Any changes to Keystone configuration may require a service restart to take effect.",
    "lang" : "en:us"
  },
  "csaw" : false
}