PYSEC-2026-649

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2026-649.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-649
Aliases
Published
2026-07-02T14:13:23.805823Z
Modified
2026-07-06T08:00:46.215644054Z
Summary
OpenStack Identity Keystone is vulnerable to Block delegation escalation of privilege
Details

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.

References

Affected packages

PyPI / keystone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.0.0a0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2026-649.yaml"