LDAP User Authentication Flaw in OpenStack Keystone
CVE-2026-40683

7.7HIGH

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-40683?

In OpenStack Keystone prior to version 28.0.1, a significant flaw exists within the LDAP identity backend. Due to a misconfiguration involving the user_enabled_invert option, the software fails to accurately interpret the user enabled attribute. Specifically, the _ldap_res_to_model method in the UserApi class only processes string-to-boolean conversion when user_enabled_invert is set to True. When False, raw string values from LDAP, such as 'FALSE', were improperly treated as enabled, allowing users marked as disabled to authenticate and access functionalities within the system. This misconfiguration poses a serious security risk for deployments that rely on the LDAP identity backend without enabling the proper settings.

Affected Version(s)

Keystone 8.0.0 < 25.0.1

Keystone 26.0.0 < 26.1.1

Keystone 27.0.0 < 27.0.1

References

https://bugs.launchpad.net/keystone/+bug/2121152

https://bugs.launchpad.net/keystone/+bug/2141713

https://review.opendev.org/958205

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40683 Data

JSON

Openstack

What is CVE-2026-40683?

Affected Version(s)

References

CVSS V3.1

Timeline