PYSEC-2026-619

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/aodh/PYSEC-2026-619.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-619
Aliases
Published
2026-07-02T14:13:24.418168Z
Modified
2026-07-06T08:00:10.252918009Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Openstack Aodh can be used to launder Keystone trusts
Details

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

References

Affected packages

PyPI / aodh

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.1

Affected versions

0.*
0.0.1.dev4004
1.*
1.1.0
1.1.1
1.1.2
1.1.3
2.*
2.0.0.0b1
2.0.0.0b2
2.0.0.0b3
2.0.0.0rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
3.*
3.0.0.0b2
3.0.0.0b3
3.0.0.0rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
4.*
4.0.0
4.0.1
4.0.2
4.0.3
5.*
5.0.0
5.1.0
5.1.1
6.*
6.0.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/aodh/PYSEC-2026-619.yaml"