CVE-2026-43001
Published: 01 May 2026
Summary
CVE-2026-43001 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openstack Keystone. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly addressing the failure to validate project_id matching for EC2 credential creation to prevent cross-project lateral movement.
AC-24 requires explicit authorization decisions for system resources like credential creation endpoints, ensuring checks against the authenticating credential's project scope.
SI-10 enforces validation of information inputs such as the caller-supplied project_id, rejecting mismatches with the authenticating application credential's project.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthorized EC2 credential creation for other projects via missing project_id validation, directly facilitating T1098.001 (Additional Cloud Credentials) and T1068 (Exploitation for Privilege Escalation) for cross-project lateral movement.
NVD Description
An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential…
more
for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
Deeper analysisAI
CVE-2026-43001 is a vulnerability affecting OpenStack Keystone versions 13 through 29. The flaw occurs in the POST /v3/credentials endpoint, which does not validate that the caller-supplied project_id for an EC2-type credential matches the project associated with the authenticating application credential. This issue, published on 2026-05-01, is categorized under CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 7.9 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L).
An attacker with an unrestricted application credential scoped to project A can exploit this vulnerability over the network. By creating an EC2-type credential specifying a project_id for project B, the attacker can then perform a /v3/ec2tokens exchange to obtain a Keystone token scoped to project B. This token retains the original app_cred_id, enabling cross-project lateral movement within the footprint of the credential owner's roles, potentially granting high confidentiality and integrity impacts across scope boundaries.
Advisories and patches addressing this vulnerability are detailed in the OpenStack Keystone bug tracker at https://bugs.launchpad.net/keystone/+bug/2149775 and the associated code review patch at https://review.opendev.org/c/openstack/keystone/+/985804.
Details
- CWE(s)