OSSA-2026-005: Restricted application credentials can create EC2 credentials
| Property | Value |
|---|---|
| Date | 2026-04-07 |
| CVE | CVE-2026-33551 |
| Severity | Medium |
| Affected Project | Keystone |
| Reporter | Maxence Bornecque (Orange Cyberdefense CERT Vulnerability Intelligence Watch Team) |
Summary
A vulnerability was discovered in OpenStack Keystone's EC2 credential creation endpoint. An authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions by exploiting a restricted application credential. This effectively circumvents role restrictions on the application credential.
Affected Versions
| Keystone Version | Status |
|---|---|
| >= 14.0.0, < 26.1.1 | Vulnerable |
| == 27.0.0 | Vulnerable |
| == 28.0.0 | Vulnerable |
| == 29.0.0 | Vulnerable |
| >= 26.1.1 (Caracal) | Fixed |
| >= 27.0.1 (Dalmatian) | Fixed |
| >= 28.0.1 (Epoxy) | Fixed |
| >= 29.0.1 (Flamingo) | Fixed |
| >= 30.0.0 (Gazpacho) | Fixed |
Impact on OSISM
This vulnerability only affects OSISM deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3/s3api). Standard OSISM deployments that do not use restricted application credentials or do not expose the EC2/S3 compatibility API are not affected.
You are potentially affected if:
- You use restricted application credentials (created with
--restrictedflag) - You expose the EC2/S3 compatibility API (swift3 or s3api middleware)
How to Check if You Are Affected
Check for Restricted Application Credentials
Check whether any restricted application credentials exist in your deployment:
docker exec keystone keystone-manage credential_list 2>/dev/null || \
openstack application credential list --long 2>/dev/null
Check for EC2/S3 API Availability
Check if the S3 API middleware is enabled:
docker exec keystone grep -E "s3api|swift3|ec2" /etc/keystone/keystone-paste.ini
If neither restricted application credentials nor the EC2/S3 API is in use, your deployment is not affected.
Vulnerability Details
When an EC2 credential is created through Keystone's EC2 API endpoint, the service does not properly enforce the restrictions of the application credential used for authentication. A user authenticated with a restricted application credential (which should limit the scope of operations) can create an EC2/S3 credential that inherits the full set of S3 permissions from the parent user, bypassing the intended role restrictions.
Remediation
For OSISM Releases
A fix will be included in upcoming OSISM releases that ship a patched Keystone version. Consult the OSISM Release Notes for version information and availability.
Alternatively, you can use rolling tags to override the Keystone container image with a version
that includes the fix. Configure the following in environments/kolla/images.yml:
keystone_tag: "2024.2" # or "2025.1", depending on your OpenStack release
Mitigation
If you are using restricted application credentials with the EC2/S3 API, consider the following measures:
- Auditing existing EC2 credentials for any created via restricted application credentials
- Restricting access to the EC2 credential creation API endpoint via policy overrides
- Monitoring for unexpected EC2 credential creation activity