An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handlescopedtoken() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "14.0.0"
},
{
"fixed": "27.0.2"
},
{
"introduced": "28.0.0"
},
{
"fixed": "28.0.2"
},
{
"introduced": "29.0.0"
},
{
"fixed": "29.0.2"
}
]
},
{
"source": "CPE_FIELD",
"extracted_events": [
{
"introduced": "14.0.0"
},
{
"fixed": "27.0.2"
},
{
"introduced": "28.0.0"
},
{
"fixed": "28.0.2"
},
{
"introduced": "29.0.0"
},
{
"fixed": "29.0.2"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"fixed": "29.0.2"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44394.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-863"
]
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "14.0.0"
},
{
"fixed": "27.0.2"
},
{
"introduced": "28.0.0"
},
{
"fixed": "28.0.2"
},
{
"introduced": "29.0.0"
},
{
"fixed": "29.0.2"
}
]
}