PatchSiren cyber security CVE debrief
CVE-2026-33551 OpenStack CVE debrief
A low-severity vulnerability was discovered in OpenStack Keystone, affecting versions 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. The issue allows an authenticated user with only a reader role to create EC2 credentials using a restricted application credential, potentially bypassing role restrictions.
- Vendor
- OpenStack
- Product
- Keystone
- CVSS
- LOW 3.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-10
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-04-10
- Advisory updated
- 2026-06-05
Who should care
Deployments using restricted application credentials with the EC2/S3 compatibility API (swift3 / s3api) are affected.
Technical summary
The vulnerability exists in OpenStack Keystone, specifically in versions 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can be used to create EC2 credentials, allowing an authenticated user with a reader role to obtain EC2/S3 credentials with the full set of parent user's S3 permissions.
Defensive priority
low
Recommended defensive actions
- Upgrade to a non-vulnerable version of OpenStack Keystone (26.1.1, 27.0.1, 28.0.1, or 29.0.1).
- Review and restrict application credentials and roles.
- Monitor for suspicious activity related to EC2/S3 credentials.
Evidence notes
The vulnerability was discovered and reported through the OpenStack bug tracking system.
Official resources
-
CVE-2026-33551 CVE record
CVE.org
-
CVE-2026-33551 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Patch
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Patch, Third Party Advisory
public