oss-sec mailing list archives
Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 16 Jan 2026 08:38:53 +0100
Hi, On Thu, Jan 15, 2026 at 03:32:46PM +0000, Jeremy Stanley wrote:
====================================================================
OSSA-2026-001: Privilege Escalation via Identity Headers in External
OAuth2 Tokens
====================================================================
:Date: January 15, 2026
:CVE: CVE-2026-22797
Affects
~~~~~~~
- Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1
Just a small note here, the range might be adapted to something newer thatn 10.5.0, correct? AFAIU the code was only added in https://github.com/openstack/keystonemiddleware/commit/de15a610e160defb367b224258498727384d10a8 which landed in 10.5.0. is this correct? Regards, Salvatore
Current thread:
- [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 15)
- Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso (Jan 15)
- [OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1 Jeremy Stanley (Jan 16)
