Incorrect authorization in OpenStack Keystone
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-863 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
OpenStack Keystone Client/Desktop applications / Other client software |
| Vendor | Openstack |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Incorrect authorization
EUVDB-ID: #VU118095
Risk: Critical
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Red]
CVE-ID: N/A
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect authorization checks within the ec2tokens and s3tokens API endpoints. A remote non-authenticated attacker can send a valid AWS Signature (e.g., from a presigned S3 URL) and obtain Keystone authorization (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and code execution.
Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOpenStack Keystone: 8.0.0,8.0.1,8.1.0,8.1.2,9.0.0,9.0.1,9.0.2,9.1.0,9.2.0,9.3.0,10.0.0,10.0.1,10.0.2,10.0.3,11.0.0,11.0.1,11.0.2,11.0.3,11.0.4,12.0.0,12.0.1,12.0.2,12.0.3,13.0.0,13.0.1,13.0.2,13.0.3,13.0.4,14.0.0,14.0.1,14.1.0,14.2.0,15.0.0,15.0.1,16.0.0,16.0.0-5,16.0.1,16.0.2,17.0.0,17.0.1,18.0.0,18.1.0,19.0.0,19.0.1,20.0.0,20.0.1,21.0.0,21.0.1,22.0.0,22.0.1,22.0.2,23.0.0,23.0.1,23.0.2,24.0.0,24.1.0,25.0.0,26.0.0,2011.3,2011.3.1,2012.1,2012.1.1,2012.1.2,2012.1.3,2012.2,2012.2.1,2012.2.3,2012.2.4,2013.1,2013.1.1,2013.1.2,2013.1.3,2013.1.4,2013.1.5,2013.2,2013.2.1,2013.2.2,2013.2.3,2013.2.4,2014.1,2014.1.1,2014.1.2,2014.1.2.1,2014.1.3,2014.1.4,2014.1.5,2014.2,2014.2.1,2014.2.2,2014.2.3,2014.2.4,2015.1.0,2015.1.1,2015.1.2,2015.1.3,2015.1.4 and previous versions
CPE2.3- cpe:2.3:a:openstack:openstack_keystone:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:openstack_keystone:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:openstack_keystone:8.0.1:*:*:*:*:*:*:*
https://security.openstack.org/ossa/OSSA-2025-002.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
