{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-33551", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-10T13:50:43.389Z", "dateReserved": "2026-03-22T00:00:00.000Z", "datePublished": "2026-04-10T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Keystone", "vendor": "OpenStack", "versions": [{"lessThan": "26.1.1", "status": "affected", "version": "14.0.0", "versionType": "semver"}, {"status": "affected", "version": "27.0.0", "versionType": "semver"}, {"status": "affected", "version": "28.0.0", "versionType": "semver"}, {"status": "affected", "version": "29.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T02:02:56.184Z"}, "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2142138"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0.0", "versionEndExcluding": "26.1.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "27.0.0", "versionEndIncluding": "27.0.0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "28.0.0", "versionEndIncluding": "28.0.0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "29.0.0", "versionEndIncluding": "29.0.0"}]}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T03:07:01.673Z"}}, {"references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2142138", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T13:50:09.231560Z", "id": "CVE-2026-33551", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T13:50:43.389Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T03:07:01.673Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33551", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T13:50:09.231560Z"}}}], "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2142138", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T13:50:04.020Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "OpenStack", "product": "Keystone", "versions": [{"status": "affected", "version": "14.0.0", "lessThan": "26.1.1", "versionType": "semver"}, {"status": "affected", "version": "27.0.0", "versionType": "semver"}, {"status": "affected", "version": "28.0.0", "versionType": "semver"}, {"status": "affected", "version": "29.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2142138"}, {"url": "https://security.openstack.org/ossa/OSSA-2026-005.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "26.1.1", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "27.0.0", "versionStartIncluding": "27.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "28.0.0", "versionStartIncluding": "28.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "29.0.0", "versionStartIncluding": "29.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T02:02:56.184Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33551", "state": "PUBLISHED", "dateUpdated": "2026-04-10T13:50:43.389Z", "dateReserved": "2026-03-22T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected."}], "id": "CVE-2026-33551", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-10T03:16:02.723", "references": [{"source": "cve@mitre.org", "url": "https://bugs.launchpad.net/keystone/+bug/2142138"}, {"source": "cve@mitre.org", "url": "https://security.openstack.org/ossa/OSSA-2026-005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/07/12"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://bugs.launchpad.net/keystone/+bug/2142138"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Maxence Bornecque (Orange Cyberdefense CERT Vulnerability Intelligence Watch Team) for reporting this issue.", "bugzilla": {"description": "openstack-keystone: OpenStack Keystone: Privilege escalation through EC2 credential creation", "id": "2451037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451037"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-266", "details": ["A flaw was found in OpenStack Keystone. An authenticated user with a reader role can exploit a vulnerability in the EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, the user may obtain EC2/S3 credentials that carry the full set of the parent user's S3 permissions. This effectively bypasses the role restrictions imposed on the application credential, leading to unauthorized access and privilege escalation. This issue affects deployments that use restricted application credentials in combination with the EC2/S3 compatibility API."], "name": "CVE-2026-33551", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "rhosp13/openstack-keystone", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-04-07T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33551\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33551\nhttp://www.openwall.com/lists/oss-security/2026/04/07/12\nhttps://security.openstack.org/ossa/OSSA-2026-005.html\nhttps://www.openwall.com/lists/oss-security/2026/04/07/12"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[14.0.0,26.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "27.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "28.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "29.0.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Keystone", "source": "cna", "vendor": "OpenStack"}, "product": "keystone", "vendor": "openstack"}], "analysis": {"en": {"generated_at": "2026-04-14T01:42:42.517922+00:00", "value": {"mitigation_remediation": ["Upgrade OpenStack Keystone to the latest version that removes this flaw (the patch was applied after 26.1.1, 27.x, 28.x, and 29.x releases).", "If upgrading is not immediately possible, disable or limit the use of the EC2/S3 compatibility API for restricted application credentials.", "Reevaluate role assignments so that reader\u2011only application credentials cannot request EC2 credential creation.", "Continuously monitor Keystone logs for unexpected EC2 credential creation requests and investigate promptly."], "summary": {"action": "Patch Now", "impact": "Privilege Escalation via EC2 credential creation"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of OpenStack Keystone are 14 through 26 before 26.1.1, as well as 27.0.0, 28.0.0, and 29.0.0. The issue manifests only when restricted application credentials are used alongside the EC2/S3 compatibility API (swift3 / s3api).", "description_and_impact": "A flaw in OpenStack Keystone allows a user with a restricted application credential and only reader role to call the EC2 credential creation API and obtain an EC2/S3 credential that inherits the full set of the parent user\u2019s S3 permissions. The result is a privilege escalation that bypasses the intended role restrictions on the application credential. The weakness is rooted in improper account and privilege management and missing authorization checks.", "risk_and_exploitability": "The CVSS score of 3.5 indicates a moderate impact, while an EPSS score below 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that the attacker must already be authenticated, possess a reader role, and have access to a restricted application credential. The attack vector is therefore internal or requires a compromised user credential rather than remote exploitation."}}}}, "created": "2026-04-10T08:36:22.771848+00:00", "updated": "2026-04-14T16:36:44.960491+00:00", "vendors": ["openstack", "openstack$PRODUCT$keystone"]}