I agree this seems like class D (security hardening), though if the case is made that there is a legitimate vulnerability here then the need to guess UUIDs to exploit it would make it class C1 instead. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1621626 Title: Unauthenticated requests return information Status in OpenStack Identity (keystone): New Status in OpenStack Security Advisory: Incomplete Bug description: I can get information back on an unauthenticated request. $ curl http://192.168.122.126:35357/v3/projects/8d34a533f85b423e8589061cde451edd/users/68ec7d9b6e464649b11d1340d5e05666/roles/ca314e7f7faf4f948bf6e7cf2077806e {"error": {"message": "Could not find role: ca314e7f7faf4f948bf6e7cf2077806e", "code": 404, "title": "Not Found"}} This should have returned 401 Unauthenticated, like this: $ curl http://192.168.122.126:35357/v3/projects {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} To recreate, just start up devstack on stable/mitaka and do the above request. I tried this on master and it's fixed. Probably by https://review.openstack.org/#/c/339356/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1621626/+subscriptions