CVE-2026-22797
📋 TL;DR
This vulnerability in OpenStack keystonemiddleware allows authenticated attackers to forge identity headers like X-Is-Admin-Project, X-Roles, or X-User-Id to escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. The issue stems from improper sanitization of incoming authentication headers before processing OAuth 2.0 tokens.
💻 Affected Systems
- OpenStack keystonemiddleware
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete administrative takeover of OpenStack deployment, allowing attacker to create/delete resources, access all tenant data, and potentially compromise underlying infrastructure.
Likely Case
Privilege escalation to admin roles, unauthorized access to other users' resources, and potential data exfiltration.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect anomalous header manipulation.
🎯 Exploit Status
Exploitation requires authenticated access to the OpenStack API. Attackers need to understand OpenStack authentication mechanisms but the vulnerability itself is simple to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.7.2, 10.9.1, or 10.12.1 depending on your version
Vendor Advisory: https://launchpad.net/bugs/2129018
Restart Required: Yes
Instructions:
1. Identify your keystonemiddleware version. 2. Upgrade to patched version: pip install keystonemiddleware>=10.7.2,>=10.9.1,>=10.12.1 as appropriate. 3. Restart all OpenStack services using keystonemiddleware. 4. Verify the fix by testing header manipulation attempts.
🔧 Temporary Workarounds
Disable external_oauth2_token middleware
linuxTemporarily disable the vulnerable middleware component if not essential for your deployment.
# Edit OpenStack service configuration files to remove or comment out external_oauth2_token middleware references
# Restart affected services after configuration changes
Implement WAF/API Gateway filtering
allDeploy web application firewall or API gateway to filter and sanitize X-Is-Admin-Project, X-Roles, and X-User-Id headers.
# Configure your WAF/API gateway to strip or validate these specific headers
# Example for nginx: proxy_set_header X-Is-Admin-Project "";
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to OpenStack APIs only to trusted sources.
- Enhance monitoring for anomalous header usage and implement alerting for privilege escalation attempts.
🔍 How to Verify
Check if Vulnerable:
Check keystonemiddleware version: pip show keystonemiddleware | grep Version. Verify if using external_oauth2_token middleware in OpenStack configuration files.Check Version:
pip show keystonemiddleware | grep VersionVerify Fix Applied:
After patching, attempt to reproduce the vulnerability by sending forged headers. The system should reject or ignore manipulated headers.📡 Detection & Monitoring
Log Indicators:
- Unusual X-Is-Admin-Project, X-Roles, or X-User-Id header values in authentication logs
- Multiple privilege escalation attempts from single user accounts
- Authentication logs showing user impersonation
Network Indicators:
- HTTP requests containing manipulated identity headers to OpenStack API endpoints
- Unusual API call patterns following header manipulation
SIEM Query:
source="openstack_logs" AND (header="X-Is-Admin-Project" OR header="X-Roles" OR header="X-User-Id") AND value!="expected_value"🔗 References
- https://launchpad.net/bugs/2129018
- https://www.openwall.com/lists/oss-security/2026/01/16/9
- http://www.openwall.com/lists/oss-security/2026/01/15/1
- http://www.openwall.com/lists/oss-security/2026/01/16/2
- http://www.openwall.com/lists/oss-security/2026/01/16/3
- http://www.openwall.com/lists/oss-security/2026/01/16/9
