CVE-2026-43000 OpenStack CVE debrief

Who should care

OpenStack cloud operators, identity and access management teams, security operations centers monitoring cloud infrastructure, and organizations running Keystone-based authentication services

Technical summary

The vulnerability exists in the trust validation logic of OpenStack Keystone. When an attacker obtains an impersonated token through an application credential vulnerability, the token carries the victim's identity. During trust creation, Keystone validates the trustor (victim) identity but incorrectly validates delegated roles against the victim's database role assignments rather than the roles asserted on the requesting token. This allows a member-role attacker to delegate the victim's admin role. The trust persists independently of the original token, enabling persistent access. The attack complexity is rated HIGH due to the prerequisite application credential impersonation vulnerability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade OpenStack Keystone to version 29.0.2 or later
• Review trust relationships and application credentials for unauthorized delegations
• Audit Keystone logs for anomalous trust creation events
• Implement principle of least privilege for application credentials
• Monitor for trust creation events where trustor and trustee identities differ unexpectedly
• Validate that role delegation checks enforce token-present roles rather than database-resolved roles

Evidence notes

Vulnerability description sourced from official CVE record published 2026-05-28. Affected product identified as OpenStack Keystone before 29.0.2. Vendor attribution supported by Launchpad bug tracker reference. Official OpenStack Security Advisory (OSSA-2026-015) confirms vulnerability details and remediation status. CWE-863 (Incorrect Authorization) classified as primary weakness.

Official resources