SB2026062267 - Multiple vulnerabilities in Red Hat OpenStack 17.1 packages
Published: June 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-33551)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass application credential restrictions and obtain broader S3 permissions.
The vulnerability exists due to improper access control in the EC2 credential creation endpoint when handling requests to create EC2 credentials with a restricted application credential. A remote user can call the EC2 credential creation API to bypass application credential restrictions and obtain broader S3 permissions.
Only deployments that use restricted application credentials together with the EC2/S3 compatibility API (swift3 / s3api) are affected.
2) Incorrect authorization (CVE-ID: CVE-2025-65073)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Red
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect authorization checks within the ec2tokens and s3tokens API endpoints. A remote non-authenticated attacker can send a valid AWS Signature (e.g., from a presigned S3 URL) and obtain Keystone authorization (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and code execution.
Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected.
Remediation
Install update from vendor's website.