Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.5
OpenStack Keystone: Malicious credentials can create unauthorized AWS access
CVE-2026-33551
Summary
Certain OpenStack Keystone users with restricted permissions can create full AWS credentials, potentially allowing unauthorized access to AWS resources. This affects users who use restricted credentials with the EC2/S3 compatibility API. To mitigate this issue, update to a fixed version of OpenStack Keystone or restrict the use of restricted credentials with the affected API.
Original title
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted applicati...
Original description
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.
nvd CVSS3.1
3.5
Vulnerability type
CWE-863
Incorrect Authorization
Published: 10 Apr 2026 · Updated: 10 Apr 2026 · First seen: 10 Apr 2026