Openstack Keystone
35 CVEs affecting Openstack Keystone. Latest disclosed: 2026-05-28. Critical: 0, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-43001 | High | 7.9 | 2026-05-01 | An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credenti… |
CVE-2026-40683 | High | 7.7 | 2026-04-14 | In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configurat… |
CVE-2025-65073 | High | 7.5 | 2025-11-17 | OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorizatio… |
CVE-2015-7546 | High | 7.5 | 2016-02-03 | The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystonec… |
CVE-2013-0270 | Medium | 6.5 | 2013-04-12 | A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long te… |
CVE-2026-44394 | Medium | 6.0 | 2026-05-28 | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to… |
CVE-2026-43000 | Medium | 6.0 | 2026-05-28 | An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the mem… |
CVE-2026-42999 | Medium | 6.0 | 2026-05-28 | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body… |
CVE-2026-42998 | Medium | 6.0 | 2026-05-28 | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied i… |
CVE-2026-33551 | Low | 3.5 | 2026-04-10 | An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 creden… |
CVE-2013-2255 | | 2019-11-01 | HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. | |
CVE-2015-3646 | | 2015-05-12 | OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenti… | |
CVE-2014-0204 | | 2014-11-03 | OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote a… | |
CVE-2014-3520 | | 2014-10-26 | OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unautho… | |
CVE-2014-3621 | | 2014-10-02 | The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive c… | |
CVE-2014-5253 | | 2014-08-25 | OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remo… | |
CVE-2014-5252 | | 2014-08-25 | The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remo… | |
CVE-2014-5251 | | 2014-08-25 | The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which… | |
CVE-2014-3476 | | 2014-06-17 | OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote… | |
CVE-2013-2014 | | 2014-06-02 | OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. |