Improper access control in OpenStack Keystone - CVE-2026-33551
Published: April 8, 2026
Vulnerability identifier: #VU125222
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33551
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Openstack
Affected software:
OpenStack Keystone
OpenStack Keystone
Detailed vulnerability description
The vulnerability allows a remote user to bypass application credential restrictions and obtain broader S3 permissions.
The vulnerability exists due to improper access control in the EC2 credential creation endpoint when handling requests to create EC2 credentials with a restricted application credential. A remote user can call the EC2 credential creation API to bypass application credential restrictions and obtain broader S3 permissions.
Only deployments that use restricted application credentials together with the EC2/S3 compatibility API (swift3 / s3api) are affected.
How to mitigate CVE-2026-33551
Install security update from vendor's website.