CVE-2026-44394 OpenStack CVE debrief

Who should care

OpenStack cloud operators using federated identity (SAML2 or OpenID Connect); security teams managing identity lifecycle policies; compliance auditors verifying access control enforcement

Technical summary

The mapped authentication plugin's handle_scoped_token() function returns response data without an expires_at value during federated token rescoping. The token provider falls back to default TTL instead of preserving the original token's remaining lifetime. This allows repeated rescoping to reset token expiration indefinitely.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade OpenStack Keystone to version 29.0.2 or later
• Review and audit federated identity token lifetimes in deployment configurations
• Implement monitoring for anomalous token rescoping frequency from federated users
• Apply principle of least privilege to federated identity mappings to reduce blast radius
• Review logs for historical patterns of excessive token rescoping that may indicate exploitation
• Consider implementing additional token lifetime enforcement at the identity provider level for federated authentication

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-28. Affected versions are explicitly stated as before 29.0.2. The attack vector requires authenticated federated identity access and repeated API calls to the token rescoping endpoint. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L) reflects network attack vector, high attack complexity, low privileges required, no user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.

Official resources