oss-sec mailing list archives
[OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1
From: Jeremy Stanley <fungi () yuggoth org>
Date: Fri, 16 Jan 2026 23:37:00 +0000
====================================================================
OSSA-2026-001: Privilege Escalation via Identity Headers in External
OAuth2 Tokens
====================================================================
:Date: January 15, 2026
:CVE: CVE-2026-22797
Affects
~~~~~~~
- Keystonemiddleware: >=10.5.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1
Description
~~~~~~~~~~~
Grzegorz Grasza with Red Hat reported a vulnerability in the
external_oauth2_token middleware for keystonemiddleware. This
middleware fails to sanitize incoming authentication headers before
processing OAuth 2.0 tokens. By sending forged identity headers such
as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated
attacker may escalate privileges or impersonate other users. All
deployments using the external_oauth2_token middleware are affected.
Errata ~~~~~~The original advisory listed versions >=10.0.0 as affected based on incorrect data, the code in question was not added until 10.5.0.
Patches ~~~~~~~ - https://review.opendev.org/973499 (2024.1/caracal) - https://review.opendev.org/973497 (2024.2/dalmatian) - https://review.opendev.org/973496 (2025.1/epoxy) - https://review.opendev.org/973495 (2025.2/flamingo) - https://review.opendev.org/973494 (2026.1/gazpacho) Credits ~~~~~~~ - Grzegorz Grasza from Red Hat (CVE-2026-22797) References ~~~~~~~~~~ - https://launchpad.net/bugs/2129018 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797 Notes ~~~~~ - The unmaintained/2024.1 branches will receive no new point releases, but patches for them are provided as a courtesy. - This bug was possible because the middleware only conditionally set certain headers (e.g., X-Is-Admin-Project was only set when the token had admin privileges), leaving spoofed values intact when conditions were not met. - The fix adds a call to remove_auth_headers() at the start of request processing to sanitize all incoming identity headers, matching the behavior of the main auth_token middleware. - The affected code was introduced in keystonemiddleware 10.5.0 during the OpenStack 2024.1 (Caracal) development cycle. OSSA History ~~~~~~~~~~~~ - 2026-01-16 - Errata 1 - 2026-01-15 - Original Version -- Jeremy Stanley OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
Attachment:
signature.asc
Description:
Current thread:
- [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 15)
- Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso (Jan 15)
- [OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1 Jeremy Stanley (Jan 16)
