Vulnerability in OpenStack Keystone Enables Unauthorized EC2/S3 Credential Creation
CVE-2026-33551

3.5LOW

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-33551?

A security flaw exists in OpenStack Keystone, where an authenticated user with a reader role can leverage restricted application credentials to create EC2 credentials. This issue affects versions prior to 26.1.1, allowing the user to bypass role restrictions and potentially gain full access to the parent user's S3 permissions. The vulnerability particularly impacts deployments using restricted application credentials alongside the EC2/S3 compatibility API. Immediate attention to updates is recommended to mitigate this risk.

Affected Version(s)

Keystone 14.0.0 < 26.1.1

Keystone 27.0.0

Keystone 28.0.0

References

https://bugs.launchpad.net/keystone/+bug/2142138

https://security.openstack.org/ossa/OSSA-2026-005.html

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 22, 2026

CVE-2026-33551 Data

JSON

Openstack

What is CVE-2026-33551?

Affected Version(s)

References

CVSS V3.1

Timeline