CVE-2026-33551 - Vulnerability Details

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenStack

Keystone

unaffected

Version	Status	Constraints
`14.0.0`	affected	< 26.1.1
`27.0.0`	affected	—
`28.0.0`	affected	—
`29.0.0`	affected	—

No data.

Project Subscriptions

Vendors	Products
Openstack Subscribe	Keystone Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugs.launchpad.net/keystone/+bug/2142138
https://security.openstack.org/ossa/OSSA-2026-005.html

History

Fri, 10 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
First Time appeared		Openstack Openstack keystone
Weaknesses		CWE-863
CPEs		cpe:2.3:a:openstack:keystone::::::::
Vendors & Products		Openstack Openstack keystone
References		https://bugs.launchpad.net/keystone/+bug/2142138 https://security.openstack.org/ossa/OSSA-2026-005.html
Metrics		cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-10T00:00:00.000Z

Updated: 2026-04-10T02:02:56.184Z

Reserved: 2026-03-22T00:00:00.000Z

Link: CVE-2026-33551

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-863

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object