PatchSiren cyber security CVE debrief
CVE-2026-42999 OpenStack CVE debrief
An RBAC policy enforcement bypass vulnerability exists in OpenStack Keystone before version 29.0.2. The flaw resides in the `enforce_call` method, where the RBAC policy enforcer unconditionally merges the raw JSON request body into the policy enforcement dictionary via `policy_dict.update(json_input.copy())`. This operation overwrites trusted target data previously populated from database lookups. Because `flask.request.get_json` is invoked with `force=True`, the attack succeeds regardless of Content-Type header or HTTP method. Any authenticated attacker can inject arbitrary policy target attributes—such as `user_id` or `project_id`—into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. The vulnerability was introduced in commit 5ea59f52 (Rocky/14.0.0).
- Vendor
- OpenStack
- Product
- Keystone
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations operating private or public OpenStack clouds using Keystone for identity and access management; cloud service providers offering OpenStack-based infrastructure; security teams responsible for IAM policy enforcement in cloud environments; DevOps engineers managing OpenStack upgrades and patch cycles
Technical summary
The vulnerability stems from insecure merging of untrusted user input into policy enforcement context. In `enforce_call`, the code calls `policy_dict.update(json_input.copy())` after `flask.request.get_json(force=True)` retrieves the request body. The `force=True` parameter causes Flask to parse JSON regardless of Content-Type, and the unconditional dictionary update allows attacker-controlled values to overwrite database-derived target attributes. This breaks the security model where policy enforcement should rely on server-verified identity and resource attributes rather than client-supplied values. The scope change in CVSS (S:C) reflects that successful exploitation can affect resources beyond the immediate request context.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade OpenStack Keystone to version 29.0.2 or later to remediate the vulnerability
- Review and audit Keystone API access logs for anomalous requests containing unexpected user_id or project_id values in request bodies, particularly from authenticated users accessing resources outside their scope
- Implement network segmentation to restrict Keystone API access to authorized administrative hosts and services
- Enable comprehensive request logging and monitoring for Keystone API endpoints to detect potential exploitation attempts
- Validate that WAF or API gateway rules do not inadvertently allow JSON body parsing when Content-Type headers are non-standard, as the vulnerability bypasses Content-Type checks
- Review custom RBAC policies for reliance on target attributes that could be manipulated through this injection vector
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Affected version range and commit introduction point explicitly stated in CVE description. CVSS 3.1 vector confirms network attack vector with high attack complexity, low privileges required, and scope change indicating impact beyond vulnerable component. CWE-863 (Incorrect Authorization) classified by MITRE. Official OpenStack Security Advisory (OSSA-2026-015) and Launchpad bug tracker reference provide vendor acknowledgment.
Official resources
2026-05-28