CVE-2026-33551

Published: Apr 10, 2026

Modified: Apr 10, 2026

PUBLISHED

CVSS v3.1

3.5

LOW

Description

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.

Vendor	Product	Versions
OpenStack	Keystone	affected `14.0.0 - < 26.1.1` affected `27.0.0` affected `28.0.0` affected `29.0.0`

Weaknesses (CWE)

CWE-863

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

References

https://bugs.launchpad.net/keystone/+bug/2142138

https://security.openstack.org/ossa/OSSA-2026-005.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33551

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References