UBUNTU-CVE-2026-33551

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33551

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33551

Upstream

CVE-2026-33551

Published

2026-04-10T03:16:00Z

Modified

2026-05-20T16:25:29.024781527Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.

References

Affected packages

Ubuntu:16.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:8.*

2:8.0.0-0ubuntu1

2:9.*

2:9.0.0~b1-0ubuntu1

2:9.0.0~b2-0ubuntu1

2:9.0.0~b3-0ubuntu1

2:9.0.0~rc1-0ubuntu1

2:9.0.0-0ubuntu1

2:9.0.2-0ubuntu1

2:9.0.2-0ubuntu2

2:9.1.0-0ubuntu1

2:9.2.0-0ubuntu1

2:9.3.0-0ubuntu1

2:9.3.0-0ubuntu2

2:9.3.0-0ubuntu3

2:9.3.0-0ubuntu3.1

2:9.3.0-0ubuntu3.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:9.3.0-0ubuntu3.2",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:9.3.0-0ubuntu3.2",
            "binary_name": "python-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json"

Ubuntu:18.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:12.*

2:12.0.0-0ubuntu1

2:13.*

2:13.0.0~b1-0ubuntu1

2:13.0.0~b2-0ubuntu1

2:13.0.0~b3-0ubuntu1

2:13.0.0~rc1-0ubuntu1

2:13.0.0~rc2-0ubuntu1

2:13.0.0-0ubuntu1

2:13.0.1-0ubuntu1

2:13.0.2-0ubuntu1

2:13.0.2-0ubuntu3

2:13.0.4-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:13.0.4-0ubuntu1",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:13.0.4-0ubuntu1",
            "binary_name": "python-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json"

Ubuntu:22.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:20.*

2:20.0.0-0ubuntu1

2:20.0.0+git2021120815.2ddf8f321-0ubuntu1

2:20.0.0+git2022011217.771c943ad-0ubuntu1

2:20.0.0+git2022030313.a3fc9e7c3-0ubuntu1

2:21.*

2:21.0.0-0ubuntu1

2:21.0.1-0ubuntu1

2:21.0.1-0ubuntu2

2:21.0.1-0ubuntu2.1

2:21.0.1-0ubuntu2.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:21.0.1-0ubuntu2.2",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:21.0.1-0ubuntu2.2",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:21.0.1-0ubuntu2.2",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json"

Ubuntu:24.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:24.*

2:24.0.0-0ubuntu1

2:24.0.0+git2024011916.adfa92b4-0ubuntu1

2:25.*

2:25.0.0~rc1-0ubuntu1

2:25.0.0-0ubuntu1

2:25.0.0-0ubuntu1.1

2:25.0.0-0ubuntu1.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:25.0.0-0ubuntu1.2",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:25.0.0-0ubuntu1.2",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:25.0.0-0ubuntu1.2",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json"

Ubuntu:25.10

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:27.*

2:27.0.0-0ubuntu1

2:27.0.0+git2025080113.e066e18ab-0ubuntu1

2:28.*

2:28.0.0~rc1-0ubuntu1

2:28.0.0-0ubuntu1

2:28.0.0-0ubuntu1.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:28.0.0-0ubuntu1.1",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:28.0.0-0ubuntu1.1",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:28.0.0-0ubuntu1.1",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json"

Ubuntu:26.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:28.*

2:28.0.0-0ubuntu1

2:28.0.0-0ubuntu2

2:28.0.0+git20260119.61.8a42793e7-0ubuntu1

2:29.*

2:29.0.0~rc1-0ubuntu1

2:29.0.0-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:29.0.0-0ubuntu1",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:29.0.0-0ubuntu1",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:29.0.0-0ubuntu1",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json"

Ubuntu:Pro:20.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:16.*

2:16.0.0-0ubuntu1

2:17.*

2:17.0.0~b1~git2019121613.db81fee63-0ubuntu1

2:17.0.0~b2~git2020020513.99733f172-0ubuntu1

2:17.0.0~b3~git2020032415.9f9040257-0ubuntu1

2:17.0.0~b3~git2020032415.9f9040257-0ubuntu2

2:17.0.0~b3~git2020041013.7bb6314e4-0ubuntu1

2:17.0.0-0ubuntu0.20.04.1

2:17.0.1-0ubuntu1

2:17.0.1-0ubuntu2

2:17.0.1-0ubuntu2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:17.0.1-0ubuntu2+esm1",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:17.0.1-0ubuntu2+esm1",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:17.0.1-0ubuntu2+esm1",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33551.json"