PYSEC-2026-602

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2026-602.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-602
Aliases
Published
2026-05-01T09:16:17.273Z
Modified
2026-07-02T12:56:15.206675336Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied projectid for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original appcred_id, enabling cross-project lateral movement within the credential owner's role footprint.

References

Affected packages

PyPI / keystone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0.0
Fixed
27.0.2
Introduced
28.0.0
Fixed
28.0.2
Introduced
29.0.0
Fixed
29.0.2

Affected versions

14.*
14.0.0
14.0.1
14.1.0
14.2.0
15.*
15.0.0.0rc1
15.0.0.0rc2
15.0.0
15.0.1
16.*
16.0.0.0rc1
16.0.0.0rc2
16.0.0
16.0.1
16.0.2
17.*
17.0.0.0rc1
17.0.0.0rc2
17.0.0
17.0.1
18.*
18.0.0.0rc1
18.0.0
18.1.0
19.*
19.0.0.0rc1
19.0.0.0rc2
19.0.0
19.0.1
20.*
20.0.0.0rc1
20.0.0
20.0.1
21.*
21.0.0.0rc1
21.0.0
21.0.1
22.*
22.0.0.0rc1
22.0.0
22.0.1
22.0.2
23.*
23.0.0.0rc1
23.0.0
23.0.1
23.0.2
24.*
24.0.0.0rc1
24.0.0
24.1.0
25.*
25.0.0.0rc1
25.0.0
26.*
26.0.0.0rc1
26.0.0
26.1.0
26.1.1
27.*
27.0.0.0rc1
27.0.0
27.0.1
28.*
28.0.0
28.0.1
29.*
29.0.0
29.0.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2026-602.yaml"