OpenStack Keystone CVE-2026-43001 Allows Cross-Project Lateral Movement
The National Vulnerability Database has detailed CVE-2026-43001, a critical flaw in OpenStack Keystone versions 13 through 29. This vulnerability stems from inadequate validation within the POST /v3/credentials endpoint. Specifically, Keystone failed to verify that the project_id supplied by a caller for an EC2-type credential matched the project associated with the authenticating application credential.
This oversight creates a significant bypass. An attacker possessing an unrestricted application credential for Project A could craft an EC2 credential targeting Project B. Subsequently, a /v3/ec2tokens exchange would yield a Keystone token scoped to Project B, all while retaining the original application credential identifier. The National Vulnerability Database indicates this effectively enables cross-project lateral movement, allowing an attacker to operate within the credential owner’s role footprint across different projects. The CVSS score is 7.9 (HIGH).
This isn’t just a misconfiguration; it’s a design flaw in the credential validation logic. For defenders, this means a compromised application credential isn’t just contained to its original project. It becomes a pivot point for broader internal compromise. Organizations running OpenStack must recognize this as a critical path to escalating privileges and expanding breach scope.
What This Means For You
- If your organization uses OpenStack Keystone versions 13 through 29, this vulnerability is a direct path to privilege escalation and lateral movement across your projects. You must identify all instances running these affected versions and prioritize patching immediately. Furthermore, audit your application credentials for unnecessary permissions and revoke any unrestricted credentials that are not absolutely essential. An attacker only needs one to start moving.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
OpenStack Keystone CVE-2026-43001 - Unauthorized EC2 Credential Creation
title: OpenStack Keystone CVE-2026-43001 - Unauthorized EC2 Credential Creation
id: scw-2026-05-01-ai-1
status: experimental
level: high
description: |
Detects the specific API endpoint POST /v3/credentials used in CVE-2026-43001. This vulnerability allows an attacker to create EC2-type credentials targeting a project different from the authenticating application credential's project, enabling cross-project lateral movement.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43001/
tags:
- attack.privilege_escalation
- attack.t1078.004
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
cs-uri:
- '/v3/credentials'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43001 | Auth Bypass | OpenStack Keystone versions 13 through 29 |
| CVE-2026-43001 | Privilege Escalation | POST /v3/credentials endpoint |
| CVE-2026-43001 | Auth Bypass | EC2-type credential project_id validation bypass |
| CVE-2026-43001 | Information Disclosure | Cross-project lateral movement via /v3/ec2tokens exchange |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7567: WordPress Temporary Login Plugin Critical Auth Bypass
CVE-2026-7567 — The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper...
OpenStack Ironic Python Agent Vulnerability CVE-2026-43003 Allows Code Execution
CVE-2026-43003 — An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the...
CVE-2026-42403: Apache Neethi DoS Vulnerability via Circular References
CVE-2026-42403 — Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references...