-
Notifications
You must be signed in to change notification settings - Fork 8
Blog post for CVE-2026-22797. #349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
garloff
wants to merge
6
commits into
main
Choose a base branch
from
feat/add-cve-2026-22797
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
dc7dd91
Blog post for CVE-2026-22797.
garloff dac1981
Link to NIST for CVE.
garloff 4231234
Docusaurus does not like <URL> style links?
garloff 88df2e5
Use @ for affiliation consistently
garloff b0814a4
Mailto link should not be in <> either.
garloff 7764907
Merge branch 'main' into feat/add-cve-2026-22797
garloff File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| --- | ||
| slug: openstack_oauth2_privescalation_cve_2026_22797 | ||
| title: CVE-2026-22797 OpenStack privilege escalation with oauth2 tokens | ||
| authors: [garloff] | ||
| tags: [security, openstack, cve] | ||
| --- | ||
|
|
||
| ## Prefix | ||
|
|
||
| This advisory was drafted a few days ago, before the issue was public. | ||
| As the issue turned out to only affect very specific configurations (which are | ||
| not used in any standard SCS setting), we did not publish it with the urgency | ||
| that we normally apply to protect our partners in time for a vulnerability becoming | ||
| public. | ||
|
|
||
| Instead, we have taken the time to sort out the publication place in the the new Docs | ||
| blog space, as described by the previous blog post. | ||
|
|
||
| ## The vulnerability | ||
|
|
||
| Keystone is the central Identity and Access Management component in OpenStack. | ||
| Whenever you talk to an OpenStack service, you authenticate to keystone via | ||
| one of the supported methods. In return, keystone will issue a token that | ||
| entitles you to have certain privileges when talking to the individual services. | ||
|
|
||
| One of the supported ways to authenticate is to use oauth2 tokens. | ||
| When keystonemiddleware investigates these | ||
| tokens it adds headers that indicate privileges associated with the account. | ||
|
|
||
| Unfortunately, keystonemiddleware does not clear headers when receiving | ||
| oauth2 tokens, so an authenticated user can send oauth2 tokens with | ||
| headers that actually indicate admin privileges and can trick services | ||
| into assuming elevated privileges. | ||
| The issue was introduced with keystonemiddleware 10.5.0 when support for | ||
| `external_oauth2_tokens` was added. | ||
|
|
||
| The vulnerability has been assigned [CVE-2026-22797](https://nvd.nist.gov/vuln/detail/CVE-2026-22797). | ||
|
|
||
| The issue was reported by Grzegorz Grasza of RedHat. | ||
|
|
||
| ## Impact on OpenStack deployments | ||
|
|
||
| When keystone is configured to accept oauth2 tokens for authentication, anyone | ||
| able to produce and send any valid tokens may inject headers to impersonate other | ||
| users or assume additional roles up to and including admin privileges. Admin | ||
| privileges allow unrestricted access via the API and are only meant to be used | ||
| by the cloud operators. | ||
|
|
||
| _To abuse this vulnerability, the attacker must be an authenticated | ||
| user of the platform. In addition, the platform must be configured to | ||
| accept oauth2 tokens, which is not a supported configuration in yaook | ||
| nor a simple change versus the default configuration is OSISM._ | ||
|
|
||
| To make services accept oauth2 tokens, their config would need | ||
| to be changed via `paste.ini` | ||
|
|
||
| ```ini | ||
| [pipeline:main] | ||
| pipeline = ext_oauth2_token | ||
|
|
||
| [filter:ext_oauth2_token] | ||
| paste.filter_factory = keystonemiddleware.external_oauth2_token:filter_factory | ||
| ``` | ||
|
|
||
| in order to be affected. This is not the case in any default configurations and | ||
| also not when using the OIDC federation with keycloak that is documented for SCS. | ||
|
|
||
| Providers are advised to investigate whether they have done changes to enable oauth2 | ||
| tokens via keystonemiddleware as depicted above and assume that they are affected | ||
| in that case. | ||
|
|
||
| ## Embargo | ||
|
|
||
| The issue has been reported to the OpenStack Vulnerability Management Team in | ||
| private. The reporters and upstream developers have worked together to address | ||
| the issue with fixes and an embargo date has been set to Thursday, 2026-01-15, | ||
| 15:00 UTC (16:00 CET). At this point in | ||
| time, the patches get merged and the OpenStack Security Advisory | ||
| ([OSSA-2026-001](https://security.openstack.org/ossa/OSSA-2026-001.html)) | ||
| is published. The issue is tracked in OpenStack issue | ||
| [#2219018](https://bugs.launchpad.net/keystonemiddleware/+bug/2129018), which should become | ||
| publically accessible after the lift of the embargo and the publication | ||
| of this advisory. | ||
|
|
||
| Under the used responsible disclosure approach, the information was shared with | ||
| a select group of trustable users of OpenStack, so they can prepare updates and | ||
| protect their infrastructure at the time this issue becomes public. | ||
|
|
||
| ## Mitigation and Fixes | ||
|
|
||
| The fix is straightforward and consists of clearing headers and explicitly | ||
| unsetting the critical headers. For affected setups, it is recommended to update | ||
| the keystone services immediately. | ||
|
|
||
| For clouds that can not update keystone directly, the dangerous headers could | ||
| be filtered out by a reverse proxy or similar network infrastructure in front | ||
| of the openstack API services or the oauth2 tokens could be temporarily disabled | ||
| by reverting back to the standard | ||
|
|
||
| ```ini | ||
| [filter:authtoken] | ||
| paste.filter_factory = keystonemiddleware.auth_token:filter_factory | ||
| ``` | ||
|
|
||
| ### Links to specific information from related OpenStack distributions | ||
|
|
||
| - [ALASCA](https://alasca.cloud/) has issued an | ||
| [advisory for yaook](https://lists.alasca.cloud/hyperkitty/list/yaook@lists.alasca.cloud/thread/Q2GZ7PNXHJ7YHRDALKXTHZMTHS7PM5NE/) | ||
| basically stating that it's not really possible to use yaook in a way that it would be affected. | ||
| - [OSISM](https://osism.tech/) has published an | ||
| [advisary for OSISM](https://osism.tech/docs/appendix/security/ossa-2026-001/) | ||
| with more details how to get a fixed keystone container deployed in case you | ||
| have manually enabled such oauth2 tokens. | ||
|
|
||
| ## Thanks | ||
|
|
||
| The authors would like to thank Grzegorz Grasza, Thomas Goirand (zigo), | ||
| Jay Faulkner, David Wilde, Artem Goncharov and Jeremy Stanley for their | ||
| work on this issue. | ||
|
|
||
| ## Sovereign Cloud Stack Security Contact | ||
|
|
||
| SCS security contact is [security@scs.community](mailto:security@scs.community), as published on | ||
| [https://scs.community/.well-known/security.txt](https://scs.community/.well-known/security.txt). | ||
|
|
||
| ## Version history | ||
|
|
||
| - Initial Draft, v0.1, 2026-01-13, 22:30 CET. | ||
| - Release, v1.0, 2026-01-20, 08:30 CET. | ||
| - Release to SCS docs blog, v1.1, 2026-01-23, 10:30 CET. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.