Platform
python
Component
keystone
Fixed in
26.1.1
27.0.0
28.0.0
29.0.0
26.1.1
CVE-2026-33551 is a security vulnerability identified in OpenStack Keystone versions 14 through 26.1.0. An attacker can leverage restricted application credentials to create EC2 credentials, potentially bypassing role restrictions and gaining unauthorized access to S3 resources. This vulnerability primarily impacts deployments utilizing restricted application credentials alongside the EC2/S3 compatibility API. A patch is available in version 26.1.1.
CVE-2026-33551 affects OpenStack Keystone versions 14 through 26 (excluding 26.1.1, 27.0.0, 28.0.0, and 29.0.0). The vulnerability allows restricted application credentials to create EC2 credentials. An authenticated user with only a reader role can obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. This could result in unauthorized access to S3 resources, compromising the security of the OpenStack infrastructure. Successful exploitation requires the environment to utilize restricted application credentials and the EC2 credential creation API.
The vulnerability is exploited by leveraging the EC2 credential creation API in Keystone. An attacker with an authenticated user possessing a reader role can utilize a restricted application credential to request the creation of EC2/S3 credentials. Due to a flaw in permission validation, the resulting EC2/S3 credentials will inherit the full permissions of the parent user, allowing the attacker to access S3 resources they would not normally have access to. The complexity of exploitation is relatively low, requiring only authentication and knowledge of the API.
Exploit Status
EPSS
0.02% (6% percentile)
CVSS Vector
The primary mitigation for CVE-2026-33551 is to upgrade to OpenStack Keystone version 26.1.1 or later, or to versions 27.0.0, 28.0.0, or 29.0.0. These versions include fixes that prevent the creation of EC2 credentials with elevated permissions. Additionally, it is recommended to review and limit the permissions assigned to application credentials, ensuring they have the minimum privilege necessary for their function. Monitoring Keystone audit logs for suspicious activity related to EC2 credential creation is also a recommended practice.
Actualice OpenStack Keystone a la versión 26.1.1 o superior, 27.0.0, 28.0.0 o 29.0.0 para mitigar la vulnerabilidad. Asegúrese de que las credenciales de aplicación restringidas no se utilicen para crear credenciales EC2/S3, especialmente en combinación con la API de compatibilidad EC2/S3 (swift3 / s3api).
Vulnerability analysis and critical alerts directly to your inbox.
Keystone versions 14 through 26 (excluding 26.1.1, 27.0.0, 28.0.0, and 29.0.0) are vulnerable to this CVE.
These are credentials used by applications instead of individual users, with limited permissions to perform specific tasks.
Check the version of Keystone you are using. If it falls within the vulnerable range, mitigation is necessary.
If you cannot upgrade immediately, review and limit the permissions of application credentials and monitor audit logs.
It could result in unauthorized access to S3 resources, compromising the security of the OpenStack infrastructure.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.