OpenStack Keystone Cross-Project Credential Escalation Vulnerability

A vulnerability in OpenStack Keystone versions 13 through 29 allows for cross-project credential escalation. The issue arises because the application credential's project_id is not properly validated when creating EC2-type credentials. This flaw enables an attacker with an unrestricted application credential in one project to create an EC2 credential for another project. By exchanging this EC2 credential for a Keystone token scoped to the second project, the attacker can access resources within that project's role footprint.

Impact

Exploitation of this vulnerability allows for unauthorized access to resources in a different project, bypassing project-specific role restrictions.

Reproduction

To reproduce this vulnerability, an attacker must first obtain an unrestricted application credential from a user in project A. This can be done by logging in as the user and creating an application credential. Once the application credential is obtained, the attacker can use it to create an EC2 credential targeting project B. After the EC2 credential is created, it can be exchanged for a Keystone token scoped to project B, while still carrying the original application credential ID from project A. This token can then be used to access project B resources.

Remediation

The vulnerability has been fixed in the OpenStack Keystone master branch and will be backported to the stable/2026.1 branch. Users should update to the latest version in these branches.