CVE-2026-43001
Published: 01 May 2026
Summary
CVE-2026-43001 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openstack Keystone. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-43001 is a vulnerability affecting OpenStack Keystone versions 13 through 29. The flaw occurs in the POST /v3/credentials endpoint, which does not validate that the caller-supplied project_id for an EC2-type credential matches the project associated with the authenticating application credential. This issue, published on 2026-05-01, is categorized under CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 7.9 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L).
An attacker with an unrestricted application credential scoped to project A can exploit this vulnerability over the network. By creating an EC2-type credential specifying a project_id for project B, the attacker can then perform a /v3/ec2tokens exchange to obtain a Keystone token scoped to project B. This token retains the original app_cred_id, enabling cross-project lateral movement within the footprint of the credential owner's roles, potentially granting high confidentiality and integrity impacts across scope boundaries.
Advisories and patches addressing this vulnerability are detailed in the OpenStack Keystone bug tracker at https://bugs.launchpad.net/keystone/+bug/2149775 and the associated code review patch at https://review.opendev.org/c/openstack/keystone/+/985804.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26488
Vulnerability details
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for…
more
project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthorized EC2 credential creation for other projects via missing project_id validation, directly facilitating T1098.001 (Additional Cloud Credentials) and T1068 (Exploitation for Privilege Escalation) for cross-project lateral movement.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the missing project_id authorization check on POST /v3/credentials so an app credential cannot create an EC2 credential for another project.
Enforces information-flow rules between projects, blocking the cross-project token scope escalation that the flawed credential exchange permits.
Limits the effective rights of an application credential to its own project, preventing the lateral movement the vulnerability enables within the owner's role footprint.