OpenStack Keystone CVE-2026-42999 RBAC Policy Target Injection via JSON Body with POC

Vulnerability Overview Vulnerability Name: RBAC Policy Target Injection via JSON Request Body (CVE-2026-42999) Vulnerability Description: In OpenStack Identity (keystone), the method unconditionally merges the raw JSON request body into the policy enforcement dictionary, overwriting trust targets retrieved from the database. Attackers can completely replace database-sourced RBAC target data by including a "target" key in the JSON request body, causing policy checks to fail and bypassing security restrictions. Affected Scope Affected Versions: All OpenStack versions (Rocky 14.0.0 and later) Impact Severity: Critical Impacted Functionality: - Any API endpoint invoking where policy rules contain or substitutions - All API resource scopes - Any operation requiring user authentication and authorization verification Remediation 1. Patch: A patch is provided to prevent the JSON request body from overwriting security-critical values. 2. Policy Adjustment: Operators must update their file to correct the policies. 3. Testing: Unit tests have been added to verify the effectiveness of the fix. POC Code Additional Information Reporter: Boris Bobrov (SAP SE) CVE ID: CVE-2026-42999 Related CVEs: CVE-2026-33551, CVE-2026-42998, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394 Remediation Status Status: In Progress Priority: High Assigned To: Unassigned Patch Link Patch Link Notes This vulnerability was introduced in 2018 and remains unfixed. Operators are required to update the policy file to apply the fix.

Goal Reached Thanks to every supporter — we hit 100%!

OpenStack Keystone CVE-2026-42999 RBAC Policy Target Injection via JSON Body with POC