From 764d917c4a44b5bc6046f396f73c6a184072fbaf Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Fri, 29 May 2026 12:08:22 +0200
Subject: [PATCH 1/6] SCS Security advisory keystone

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-05-28-keystone.md | 112 ++++++++++++++++++++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100644 blog/2026-05-28-keystone.md

diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md
new file mode 100644
index 0000000000..cdc846c0e9
--- /dev/null
+++ b/blog/2026-05-28-keystone.md
@@ -0,0 +1,112 @@
+---
+title: Multiple Keystone vulnerabilities affecting credential delegation and authorization (OSSA-2026-015)
+authors: [garloff]
+slug: keystone_credential_delegation_auth_bypass_ossa_2026_015
+tags: [security, openstack, keystone, cve]
+---
+
+## The vulnerability
+
+A series of five related vulnerabilities has been identified in OpenStack
+Keystone that impact how credentials are delegated and how authorization
+policies are enforced. These vulnerabilities allow authenticated attackers to
+bypass security boundaries, impersonate users, and potentially escalate
+privileges to cloud administrator.
+
+The core issues are:
+
+- **RBAC Policy Bypass (CVE-2026-42999):** An attacker can inject RBAC policy
+  targets via a JSON request body, allowing them to bypass authorization on
+  protected endpoints. This can lead to the reading of credential secrets and
+  escalation to cloud admin.
+
+- **Application Credential Impersonation (CVE-2026-42998 & CVE-2026-43000):**
+  Keystone failed to verify if the caller owned the Application Credential
+  being used. This allows for user impersonation within a project, which can be
+  chained with "trust" operations to escalate privileges from a project member to
+  an administrator.
+
+- **Cross-Project EC2 Credentials (CVE-2026-43001):** Application credentials
+  scoped to one project could be used to create EC2-style credentials for a
+i different project, enabling lateral movement across tenant boundaries.
+
+- **Federated Token Rescoping (CVE-2026-44394):** In SAML2/OIDC deployments,
+  federated users can maintain access indefinitely by repeatedly rescoping
+  tokens, as Keystone issues a fresh full-TTL token instead of inheriting the
+  original expiry.
+
+These issues were reported by Boris Bobrov (SAP SE), Tim Shepherd (roiai.ca),
+Erichen (Institute of Computing Technology, CAS), and Artem Goncharov
+(SysEleven GmbH).
+
+## Impact on the SCS software ecosystem
+
+These vulnerabilities pose a significant risk to SCS clouds. Because SCS
+environments rely heavily on S3 compatibility—which utilizes EC2-style
+credentials—the ability to perform cross-project lateral movement
+(CVE-2026-43001) is a direct threat to tenant isolation.
+
+Furthermore, the RBAC bypass (CVE-2026-42999) is particularly severe as it
+undermines the fundamental security model of the cloud, potentially allowing an
+authenticated user to gain full administrative control over the entire Keystone
+service. For deployments using federated identity (SAML2/OIDC), the ability to
+bypass session expiration (CVE-2026-44394) also weakens the security posture
+regarding user lifecycle management.
+
+## Embargo
+
+The issues were reported to the OpenStack Vulnerability Management Team.
+Following coordination with the reporters and upstream developers, the official
+OpenStack Security Advisory
+[OSSA-2026-015](https://security.openstack.org/ossa/OSSA-2026-015.html) was
+published on Tuesday, 2026-05-28.
+
+## Mitigation and Fixes
+
+The primary remediation is to upgrade Keystone to the patched versions provided
+by the upstream OpenStack release cycle. 
+
+**Note:** For users with highly customized trust policies, please be aware that
+the fix for CVE-2026-42999 modifies the trust policy structure. This may
+require manual updates to your custom policies to ensure continued
+functionality for services like Heat or image uploads.
+
+The SCS ecosystem software providers are providing fixed keystone images as
+soon as they are available:
+
+- [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-015)
+- [yaook](https://yaook.cloud/security-advisories-cve-2026-33551)
+
+## References
+
+* [OSSA-2026-015 Advisory](https://security.openstack.org/ossa/OSSA-2026-015.html)
+* [Launchpad Bug #2148398](https://bugs.launchpad.net/keystone/+bug/2148398),
+  [#2148477](https://bugs.launchpad.net/keystone/+bug/2148477),
+  [#2149775](https://bugs.launchpad.net/keystone/+bug/2149775),
+  [#2149789](https://bugs.launchpad.net/keystone/+bug/2149789),
+  [#2150089](https://bugs.launchpad.net/keystone/+bug/2150089),
+  [#2150379](https://bugs.launchpad.net/keystone/+bug/2150379)
+* [CVE-2026-42998](https://www.cve.org/CVERecord?id=CVE-2026-42998),
+  [CVE-2026-42999](https://www.cve.org/CVERecord?id=CVE-2026-42999),
+  [CVE-2026-43000](https://www.cve.org/CVERecord?id=CVE-2026-43000),
+  [CVE-2026-43001](https://www.cve.org/CVERecord?id=CVE-2026-43001),
+  [CVE-2026-44394](https://www.cve.org/CVERecord?id=CVE-2026-44394)
+
+## Thanks
+
+The author would like to thank Boris Bobrov, Tim Shepherd, Erichen, and Artem
+Goncharov for their work in discovering and reporting these critical
+vulnerabilities and the OpenStack Vulnerabilty Mangement Team for handling
+and coordinating this and the OpenStack keystone upstream developers for
+addressing the issues.
+
+## Sovereign Cloud Stack Security Contact
+
+SCS security contact is
+[security@scs.community](mailto:security@scs.community), as published on
+[https://sovereigncloudstack.org/.well-known/security.txt](https://sovereigncloudstack.org/.well-known/security.txt).
+
+## Version history
+
+- Initial draft, v0.1, 2026-05-28, 16:00 CEST
+- Release, v1.0, 2026-05-29, 12:00 CEST

From e216c1c37e93ef214ef103c5aef9e1017f0f45d8 Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Fri, 29 May 2026 12:15:24 +0200
Subject: [PATCH 2/6] Wordsmithing.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-05-28-keystone.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md
index cdc846c0e9..13128e778e 100644
--- a/blog/2026-05-28-keystone.md
+++ b/blog/2026-05-28-keystone.md
@@ -64,15 +64,14 @@ published on Tuesday, 2026-05-28.
 ## Mitigation and Fixes
 
 The primary remediation is to upgrade Keystone to the patched versions provided
-by the upstream OpenStack release cycle. 
+by the upstream OpenStack project.
 
 **Note:** For users with highly customized trust policies, please be aware that
 the fix for CVE-2026-42999 modifies the trust policy structure. This may
 require manual updates to your custom policies to ensure continued
 functionality for services like Heat or image uploads.
 
-The SCS ecosystem software providers are providing fixed keystone images as
-soon as they are available:
+The SCS ecosystem software providers are providing fixed keystone images:
 
 - [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-015)
 - [yaook](https://yaook.cloud/security-advisories-cve-2026-33551)

From 6073eb26f35d839d452a5c80290002e0a581fa5e Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Fri, 29 May 2026 12:31:28 +0200
Subject: [PATCH 3/6] OK, markdownlint prefers '-' over '*' for UL.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-05-28-keystone.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md
index 13128e778e..ccc3a324ac 100644
--- a/blog/2026-05-28-keystone.md
+++ b/blog/2026-05-28-keystone.md
@@ -78,14 +78,14 @@ The SCS ecosystem software providers are providing fixed keystone images:
 
 ## References
 
-* [OSSA-2026-015 Advisory](https://security.openstack.org/ossa/OSSA-2026-015.html)
-* [Launchpad Bug #2148398](https://bugs.launchpad.net/keystone/+bug/2148398),
+- [OSSA-2026-015 Advisory](https://security.openstack.org/ossa/OSSA-2026-015.html)
+- [Launchpad Bug #2148398](https://bugs.launchpad.net/keystone/+bug/2148398),
   [#2148477](https://bugs.launchpad.net/keystone/+bug/2148477),
   [#2149775](https://bugs.launchpad.net/keystone/+bug/2149775),
   [#2149789](https://bugs.launchpad.net/keystone/+bug/2149789),
   [#2150089](https://bugs.launchpad.net/keystone/+bug/2150089),
   [#2150379](https://bugs.launchpad.net/keystone/+bug/2150379)
-* [CVE-2026-42998](https://www.cve.org/CVERecord?id=CVE-2026-42998),
+- [CVE-2026-42998](https://www.cve.org/CVERecord?id=CVE-2026-42998),
   [CVE-2026-42999](https://www.cve.org/CVERecord?id=CVE-2026-42999),
   [CVE-2026-43000](https://www.cve.org/CVERecord?id=CVE-2026-43000),
   [CVE-2026-43001](https://www.cve.org/CVERecord?id=CVE-2026-43001),

From fb75cdb33885014fd4d86b38f75591194a106a59 Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Fri, 29 May 2026 12:39:14 +0200
Subject: [PATCH 4/6] Add advice on what we expect.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-05-28-keystone.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md
index ccc3a324ac..e836177653 100644
--- a/blog/2026-05-28-keystone.md
+++ b/blog/2026-05-28-keystone.md
@@ -76,6 +76,21 @@ The SCS ecosystem software providers are providing fixed keystone images:
 - [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-015)
 - [yaook](https://yaook.cloud/security-advisories-cve-2026-33551)
 
+## Outlook
+
+We see an increased velocity with which security issues are found in the
+IT industry. We're glad to see them reported against the open source projects
+that we are using and the community is working hard to address the issues.
+Security researchers have become more efficient due to the usage of AI tools
+and so have OSS developers - we expect the high volume to continue for the
+upcoming months and maybe beyond.
+
+SCS has always emphasized the ability to patch with confidence on a daily basis
+as an important design criterium for the lifecycle management of our components.
+It now seems to be needed more than ever. We advise operators to prepare for
+this new world and ensure to work on any processual issues that are slowing
+them down in deployment.
+
 ## References
 
 - [OSSA-2026-015 Advisory](https://security.openstack.org/ossa/OSSA-2026-015.html)

From 22fac3146550e87f585598d4e70e175002c7443a Mon Sep 17 00:00:00 2001
From: Kurt Garloff <kurt@garloff.de>
Date: Fri, 29 May 2026 12:41:44 +0200
Subject: [PATCH 5/6] Plural.

Signed-off-by: Kurt Garloff <kurt@garloff.de>
---
 blog/2026-05-28-keystone.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md
index e836177653..0a9b300187 100644
--- a/blog/2026-05-28-keystone.md
+++ b/blog/2026-05-28-keystone.md
@@ -5,7 +5,7 @@ slug: keystone_credential_delegation_auth_bypass_ossa_2026_015
 tags: [security, openstack, keystone, cve]
 ---
 
-## The vulnerability
+## The vulnerabilities
 
 A series of five related vulnerabilities has been identified in OpenStack
 Keystone that impact how credentials are delegated and how authorization

From c2fddda56d8c1acae7852dd00c3364cbc583e455 Mon Sep 17 00:00:00 2001
From: Marvin Frommhold <depressiveRobot@users.noreply.github.com>
Date: Fri, 29 May 2026 13:26:34 +0200
Subject: [PATCH 6/6] fix spelling

Co-authored-by: Marvin Frommhold <depressiveRobot@users.noreply.github.com>
Signed-off-by: Marvin Frommhold <depressiveRobot@users.noreply.github.com>
---
 blog/2026-05-28-keystone.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md
index 0a9b300187..befa0a4cad 100644
--- a/blog/2026-05-28-keystone.md
+++ b/blog/2026-05-28-keystone.md
@@ -28,7 +28,7 @@ The core issues are:
 
 - **Cross-Project EC2 Credentials (CVE-2026-43001):** Application credentials
   scoped to one project could be used to create EC2-style credentials for a
-i different project, enabling lateral movement across tenant boundaries.
+different project, enabling lateral movement across tenant boundaries.
 
 - **Federated Token Rescoping (CVE-2026-44394):** In SAML2/OIDC deployments,
   federated users can maintain access indefinitely by repeatedly rescoping
@@ -71,7 +71,7 @@ the fix for CVE-2026-42999 modifies the trust policy structure. This may
 require manual updates to your custom policies to ensure continued
 functionality for services like Heat or image uploads.
 
-The SCS ecosystem software providers are providing fixed keystone images:
+The SCS ecosystem software providers are providing fixed Keystone images:
 
 - [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-015)
 - [yaook](https://yaook.cloud/security-advisories-cve-2026-33551)
@@ -110,8 +110,8 @@ them down in deployment.
 
 The author would like to thank Boris Bobrov, Tim Shepherd, Erichen, and Artem
 Goncharov for their work in discovering and reporting these critical
-vulnerabilities and the OpenStack Vulnerabilty Mangement Team for handling
-and coordinating this and the OpenStack keystone upstream developers for
+vulnerabilities and the OpenStack Vulnerability Management Team for handling
+and coordinating this and the OpenStack Keystone upstream developers for
 addressing the issues.
 
 ## Sovereign Cloud Stack Security Contact