OpenStack Keystone RBAC Policy Target Injection Vulnerability

A vulnerability exists in OpenStack Keystone versions prior to 29.0.2, allowing authenticated users to inject arbitrary policy target attributes via the JSON request body. This injection bypasses role-based access control (RBAC) checks, enabling unauthorized operations on resources belonging to other users or projects. The vulnerability arises because the Keystone RBAC policy enforcer unconditionally merges the raw JSON request body into the policy enforcement dictionary, overwriting trusted target data from database lookups. Exploitation is possible regardless of the Content-Type or HTTP method, due to the use of 'force=True' in the 'get_json' method.

Impact

Exploitation of this vulnerability allows authenticated users to bypass RBAC checks on approximately 88 endpoints across 15 API resource areas, leading to unauthorized access and actions on behalf of other users or projects. This includes reading sensitive credential information, such as EC2 access and secret keys, and performing actions that could escalate privileges to cloud administrator level.

Reproduction

To reproduce this vulnerability, send a JSON request with a 'target' key that includes attributes such as 'user_id' or 'project_id'. The 'get_json' method will parse the request body and merge it into the policy enforcement dictionary, overwriting the original target data from the database. This can be done using any HTTP method, as the vulnerability is not restricted by method type.

Remediation

Users with customized policy files will need to update their policies to address the changes introduced by the patch for this vulnerability. Instructions for updating policies are available in the OpenStack Security Advisory OSSA-2026-015.