Cyber Posture

CVE-2026-40683

High

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H
EPSS Score 0.0002 4.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40683 is a high-severity Type Confusion (CWE-843) vulnerability in Launchpad (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the software flaw in OpenStack Keystone's LDAP backend by requiring timely patching to version 28.0.1 or later, where string-to-boolean conversion is properly handled.

CM-6 Configuration Settings partial match
prevent

Enforces secure configuration settings for the Keystone LDAP identity backend, such as enabling user_enabled_invert=True or user_enabled_emulation, as a workaround to ensure proper user enabled status interpretation.

IA-2 Identification and Authentication (Organizational Users) partial match
prevent

Requires identification and authentication processes for organizational users that accurately validate and enforce LDAP user enabled attributes to block authentication of disabled accounts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

The vulnerability in the public-facing OpenStack Keystone LDAP backend allows network-based exploitation to authenticate as disabled users (T1190), enabling abuse of valid cloud accounts that should be blocked (T1078.004) due to the string-to-boolean type confusion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when…

more

user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.

Deeper analysisAI

CVE-2026-40683 is a vulnerability in OpenStack Keystone versions prior to 28.0.1, specifically affecting the LDAP identity backend. The issue arises because the _ldap_res_to_model method in the UserApi class fails to convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is set to False, which is the default. Instead, it uses the raw string value from LDAP, such as "FALSE", directly. In Python, non-empty strings are truthy, causing Keystone to treat LDAP-disabled users as enabled. This impacts all deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation enabled. The vulnerability is rated 7.7 on the CVSS 3.1 scale (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H) and is associated with CWE-843 (Type Confusion).

An attacker with valid credentials for a user marked as disabled in LDAP can exploit this vulnerability over the network with high complexity and low privileges. Since Keystone incorrectly interprets the disabled status as enabled due to the truthy string value, the attacker can authenticate successfully and perform authorized actions based on the user's role, despite the LDAP configuration intending to block them. The scope change in the CVSS vector indicates potential impact across security boundaries, with low confidentiality and integrity effects but high availability disruption possible.

Advisories and patches, including Launchpad bugs #2121152 and #2141713, the OpenDev review at https://review.opendev.org/958205, and the OSS-Security mailing list announcement at https://www.openwall.com/lists/oss-security/2026/04/14/9, recommend upgrading to OpenStack Keystone 28.0.1 or later, where the string-to-boolean conversion is properly handled regardless of the user_enabled_invert setting. As a workaround, administrators can enable user_enabled_invert=True or user_enabled_emulation in the LDAP backend configuration to mitigate the issue prior to patching.

Details

CWE(s)
CWE-843

Affected Products

Launchpad
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-24874Shared CWE-843
CVE-2025-47151Shared CWE-843
CVE-2025-70023Shared CWE-843
CVE-2025-65570Shared CWE-843
CVE-2026-25537Shared CWE-843
CVE-2025-53144Shared CWE-843
CVE-2026-5865Shared CWE-843
CVE-2026-4702Shared CWE-843
CVE-2025-21342Shared CWE-843
CVE-2025-10585Shared CWE-843

References