PYSEC-2026-911

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/python-keystoneclient/PYSEC-2026-911.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-911
Aliases
Published
2026-07-06T08:03:26.363613Z
Modified
2026-07-07T11:45:49.916332676Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
Summary
OpenStack Nova uses insecure keystone middleware tmpdir by default
Details

keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.

References

Affected packages

PyPI / python-keystoneclient

Package

Name
python-keystoneclient
View open source insights on deps.dev
Purl
pkg:pypi/python-keystoneclient

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.4

Affected versions

0.*
0.1.1
0.1.2
0.1.3
0.2.0
0.2.1
0.2.2
0.2.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/python-keystoneclient/PYSEC-2026-911.yaml"