Debian Keystone Critical Privilege Escalation Threat Advisory DLA-4611-1
debian lts
May 31, 2026
Multiple vulnerabilities have been found in Keystone, the OpenStack identity service, including privilege escalation and authorization and access control flaws
Summary
CVE-2026-33551
An authenticated user with only a reader role may obtain an EC2/S3
credential that carries the full set of the parent user's S3
permissions, bypassing the role restrictions imposed on the
application credential. Only deployments that use restricted application
credentials in combination with the EC2/S3 compatibility API
(swift3/s3api) are affected. Reported by Maxence Bornecque, from
Orange Cyberdefense CERT Vulnerability Intelligence Watch Team.
CVE-2026-40683
LDAP identity backend does not convert enabled attribute to boolean. When
the user_enabled_invert configuration option was False (the default),
Keystone did not correctly interpret the LDAP enabled attribute, causing
users disabled in LDAP to be treated as enabled and allowed to
authenticate. Deployments using the LDAP identity backend without
user_enabled_invert=True or user_enabled_emulation are affected.
Independently reported by Benedikt Trefzer and Andrew Bogott.
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: keystone
Version: 2:18.1.0-1+deb11u3
CVE ID: CVE-2026-33551 CVE-2026-40683 CVE-2026-42998 CVE-2026-42999
Debian Bug: 1133118 1133884 1135645
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!