Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)

On 1/15/26 4:31 PM, Jeremy Stanley wrote:

==================================================================== OSSA-2026-001: Privilege Escalation via Identity Headers in External                OAuth2 Tokens ====================================================================

:Date: January 15, 2026 :CVE: CVE-2026-22797

Affects ~~~~~~~ - Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1

Hi, Can someone reply to my comment #35 there please? https://bugs.launchpad.net/keystonemiddleware/+bug/2129018 tl;dr: am I right that only oauth2_external enabled deployments are affected, and only starting at 10.5.0 (ie: Caracal)? Cheers, Thomas Goirand (zigo)