#VU125222 Improper access control in OpenStack Keystone - CVE-2026-33551
Published: April 8, 2026
Vulnerability identifier: #VU125222
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33551
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenStack Keystone
OpenStack Keystone
Software vendor:
Openstack
Openstack
Description
The vulnerability allows a remote user to bypass application credential restrictions and obtain broader S3 permissions.
The vulnerability exists due to improper access control in the EC2 credential creation endpoint when handling requests to create EC2 credentials with a restricted application credential. A remote user can call the EC2 credential creation API to bypass application credential restrictions and obtain broader S3 permissions.
Only deployments that use restricted application credentials together with the EC2/S3 compatibility API (swift3 / s3api) are affected.
Remediation
Install security update from vendor's website.