Cyber Resilience

CVE-2026-22797

CriticalUpdated

Published: 19 January 2026

Published
19 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0045 36.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22797 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Redhat (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22797 is a high-severity vulnerability in OpenStack keystonemiddleware, affecting versions 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers prior to processing OAuth 2.0 tokens, enabling attackers to inject forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id. All deployments utilizing this middleware are vulnerable, with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) and mapped to CWE-290 (Authentication Bypass by Spoofing).

An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By crafting and sending requests with manipulated headers during OAuth 2.0 token processing, the attacker can escalate their privileges or impersonate other users, potentially gaining high confidentiality, integrity, and limited availability impacts across a changed scope.

Advisories recommend upgrading to patched versions: 10.7.2, 10.9.1, or 10.12.1 and later. Detailed discussions and patches are available in the referenced sources, including the Launchpad bug report at https://launchpad.net/bugs/2129018 and oss-security mailing list announcements at https://www.openwall.com/lists/oss-security/2026/01/16/9, http://www.openwall.com/lists/oss-security/2026/01/15/1, http://www.openwall.com/lists/oss-security/2026/01/16/2, and http://www.openwall.com/lists/oss-security/2026/01/16/3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged…

more

identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability in OpenStack Keystone middleware allows low-privileged authenticated attackers to forge authentication headers (e.g., X-Roles, X-User-Id), directly enabling exploitation of the remote authentication service for privilege escalation and user impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45223Shared CWE-290
CVE-2025-21415Shared CWE-290
CVE-2022-3180Shared CWE-290
CVE-2026-32666Shared CWE-290
CVE-2026-32014Shared CWE-290
CVE-2026-33433Shared CWE-290
CVE-2025-69203Shared CWE-290
CVE-2024-54085Shared CWE-290
CVE-2026-28954Shared CWE-290
CVE-2026-8960Shared CWE-290

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of incoming authentication headers to prevent exploitation via forged X-Is-Admin-Project, X-Roles, or X-User-Id headers in the external_oauth2_token middleware.

prevent

Mandates timely identification, reporting, and patching of software flaws like the keystonemiddleware sanitization failure affecting versions 10.5 through 10.12.

prevent

Ensures mechanisms for unique identification and authentication of users, mitigating impersonation and privilege escalation from unsanitized OAuth 2.0 token processing.

References