==================================================================== OSSA-2026-001: Privilege Escalation via Identity Headers in External OAuth2 Tokens ==================================================================== :Date: January 15, 2026 :CVE: CVE-2026-22797 Affects ~~~~~~~ - Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1 Description ~~~~~~~~~~~ Grzegorz Grasza with Red Hat reported a vulnerability in the external_oauth2_token middleware for keystonemiddleware. This middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. Patches ~~~~~~~ - https://review.opendev.org/973499 (2024.1/caracal) - https://review.opendev.org/973497 (2024.2/dalmatian) - https://review.opendev.org/973496 (2025.1/epoxy) - https://review.opendev.org/973495 (2025.2/flamingo) - https://review.opendev.org/973494 (2026.1/gazpacho) Credits ~~~~~~~ - Grzegorz Grasza from Red Hat (CVE-2026-22797) References ~~~~~~~~~~ - https://launchpad.net/bugs/2129018 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797 Notes ~~~~~ - The unmaintained/2024.1 branches will receive no new point releases, but patches for them are provided as a courtesy. - This bug was possible because the middleware only conditionally set certain headers (e.g., X-Is-Admin-Project was only set when the token had admin privileges), leaving spoofed values intact when conditions were not met. - The fix adds a call to remove_auth_headers() at the start of request processing to sanitize all incoming identity headers, matching the behavior of the main auth_token middleware. - The external_oauth2_token middleware was introduced in keystonemiddleware 10.0.0. -- Jeremy Stanley OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html