OpenStack Keystone Federation Token Expiry Bypass Vulnerability (CVE-2026-44394) and Patch

Vulnerability Overview Vulnerability Name: Authentication Expiry Bypass via Federated Token Rescoping (CVE-2026-44394) Vulnerability Description: There is an authentication expiry bypass vulnerability in the federated token rescoping mechanism of OpenStack Keystone. When a user authenticated with a federated token requests a new scoped token, the expiration time of the original token is not propagated to the new token. Consequently, the new token receives a new default Time-To-Live (TTL), allowing users to indefinitely extend their session lifecycle by repeatedly rescoping the token, thereby bypassing the token expiration policy. This could lead to continued access even after the account has been disabled at the upstream Identity Provider. Affected Scope Affected Product: OpenStack Keystone Affected Versions: <=27.0.0 Fixed Versions: None Severity: CVE-2026-44394 CVSS Score: 3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N) Vulnerability Type: Insufficient Session Expiry Remediation Fix Code: - : The function lacks the attribute in the response context. - : Non-federated path token authentication correctly preserves the token expiration time (missing in the federated path). - : The fallback logic resets the token to the default expiration time due to the missing explicit expiration time. Fix Patch: - The patch has been submitted to . - Patch content is as follows: POC Code Additional Information Reporter: Erichen, Institute of Computing Technology, Chinese Academy of Sciences CVE References: CVE-2026-43998, CVE-2026-43999, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394 Fix Status: Fix submitted to multiple branches (master, stable/2024.1, stable/2025.1, stable/2025.2, stable/2026.1)

Goal Reached Thanks to every supporter — we hit 100%!

OpenStack Keystone Federation Token Expiry Bypass Vulnerability (CVE-2026-44394) and Patch