Cyber Resilience

CVE-2026-43001

HighPublic PoCUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0002 4.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43001 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openstack Keystone. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-43001 is a vulnerability affecting OpenStack Keystone versions 13 through 29. The flaw occurs in the POST /v3/credentials endpoint, which does not validate that the caller-supplied project_id for an EC2-type credential matches the project associated with the authenticating application credential. This issue, published on 2026-05-01, is categorized under CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 7.9 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L).

An attacker with an unrestricted application credential scoped to project A can exploit this vulnerability over the network. By creating an EC2-type credential specifying a project_id for project B, the attacker can then perform a /v3/ec2tokens exchange to obtain a Keystone token scoped to project B. This token retains the original app_cred_id, enabling cross-project lateral movement within the footprint of the credential owner's roles, potentially granting high confidentiality and integrity impacts across scope boundaries.

Advisories and patches addressing this vulnerability are detailed in the OpenStack Keystone bug tracker at https://bugs.launchpad.net/keystone/+bug/2149775 and the associated code review patch at https://review.opendev.org/c/openstack/keystone/+/985804.

EU & UK References

Vulnerability details

An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for…

more

project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098.001 Additional Cloud Credentials Persistence
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Why these techniques?

Vulnerability enables unauthorized EC2 credential creation for other projects via missing project_id validation, directly facilitating T1098.001 (Additional Cloud Credentials) and T1068 (Exploitation for Privilege Escalation) for cross-project lateral movement.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28370Same vendor: Openstack
CVE-2026-28951Shared CWE-863
CVE-2026-42432Shared CWE-863
CVE-2024-40771Shared CWE-863
CVE-2026-34972Shared CWE-863
CVE-2025-0360Shared CWE-863
CVE-2026-4639Shared CWE-863
CVE-2026-42429Shared CWE-863
CVE-2026-41404Shared CWE-863
CVE-2020-36969Shared CWE-863

Affected Assets

openstack
keystone
14.0.0 — 27.0.2 · 28.0.0 — 28.0.2 · 29.0.0 — 29.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the missing project_id authorization check on POST /v3/credentials so an app credential cannot create an EC2 credential for another project.

prevent

Enforces information-flow rules between projects, blocking the cross-project token scope escalation that the flawed credential exchange permits.

prevent

Limits the effective rights of an application credential to its own project, preventing the lateral movement the vulnerability enables within the owner's role footprint.

References