Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-33551

3.5 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 4 days, 7 hours ago

An issue was discovered in OpenStack Keystone 14 through 26 …

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.

References

Affected products

Keystone

==28.0.0
==27.0.0
<26.1.1
==29.0.0

Matching in nixpkgs

pkgs.keystone

Lightweight multi-platform, multi-architecture assembler framework

nixos-unstable 0.9.2
- nixpkgs-unstable 0.9.2
- nixos-unstable-small 0.9.2
nixos-25.11 0.9.2
- nixos-25.11-small 0.9.2
- nixpkgs-25.11-darwin 0.9.2

pkgs.rubyPackages.keystone-engine

None

nixos-unstable 0.9.0
- nixpkgs-unstable 0.9.0
- nixos-unstable-small 0.9.0
nixos-25.11 0.9.0
- nixos-25.11-small 0.9.0
- nixpkgs-25.11-darwin 0.9.0

pkgs.python312Packages.keystoneauth1

Authentication Library for OpenStack Identity

nixos-25.11 keystoneauth1-5.12.0
- nixos-25.11-small keystoneauth1-5.12.0
- nixpkgs-25.11-darwin keystoneauth1-5.12.0

pkgs.python313Packages.keystoneauth1

Authentication Library for OpenStack Identity

nixos-unstable keystoneauth1-5.13.1
- nixpkgs-unstable keystoneauth1-5.13.1
- nixos-unstable-small keystoneauth1-5.13.1
nixos-25.11 keystoneauth1-5.12.0
- nixos-25.11-small keystoneauth1-5.12.0
- nixpkgs-25.11-darwin keystoneauth1-5.12.0

pkgs.python314Packages.keystoneauth1

Authentication Library for OpenStack Identity

nixos-unstable keystoneauth1-5.13.1
- nixpkgs-unstable keystoneauth1-5.13.1
- nixos-unstable-small keystoneauth1-5.13.1

pkgs.rubyPackages_3_3.keystone-engine

None

nixos-unstable 0.9.0
- nixpkgs-unstable 0.9.0
- nixos-unstable-small 0.9.0
nixos-25.11 0.9.0
- nixos-25.11-small 0.9.0
- nixpkgs-25.11-darwin 0.9.0

pkgs.rubyPackages_3_4.keystone-engine

None

nixos-unstable 0.9.0
- nixpkgs-unstable 0.9.0
- nixos-unstable-small 0.9.0
nixos-25.11 0.9.0
- nixos-25.11-small 0.9.0
- nixpkgs-25.11-darwin 0.9.0

pkgs.rubyPackages_4_0.keystone-engine

None

nixos-unstable 0.9.0
- nixpkgs-unstable 0.9.0
- nixos-unstable-small 0.9.0
nixos-25.11 0.9.0
- nixos-25.11-small 0.9.0
- nixpkgs-25.11-darwin 0.9.0

pkgs.python312Packages.keystone-engine

Lightweight multi-platform, multi-architecture assembler framework

nixos-25.11 0.9.2
- nixos-25.11-small 0.9.2
- nixpkgs-25.11-darwin 0.9.2

pkgs.python313Packages.keystone-engine

Lightweight multi-platform, multi-architecture assembler framework

nixos-unstable 0.9.2
- nixpkgs-unstable 0.9.2
- nixos-unstable-small 0.9.2
nixos-25.11 0.9.2
- nixos-25.11-small 0.9.2
- nixpkgs-25.11-darwin 0.9.2

pkgs.python314Packages.keystone-engine

Lightweight multi-platform, multi-architecture assembler framework

nixos-unstable 0.9.2
- nixpkgs-unstable 0.9.2
- nixos-unstable-small 0.9.2

pkgs.python312Packages.python-keystoneclient

Client Library for OpenStack Identity

nixos-25.11 5.7.0
- nixos-25.11-small 5.7.0
- nixpkgs-25.11-darwin 5.7.0

pkgs.python313Packages.python-keystoneclient

Client Library for OpenStack Identity

nixos-unstable 5.8.0
- nixpkgs-unstable 5.8.0
- nixos-unstable-small 5.8.0
nixos-25.11 5.7.0
- nixos-25.11-small 5.7.0
- nixpkgs-25.11-darwin 5.7.0

pkgs.python314Packages.python-keystoneclient

Client Library for OpenStack Identity

nixos-unstable 5.8.0
- nixpkgs-unstable 5.8.0
- nixos-unstable-small 5.8.0

Package maintainers

@jollheef Mikhail Klementev <root@dumpstack.io>
@vinetos vinetos <contact+git@vinetos.fr>
@anthonyroussel Anthony Roussel <anthony@roussel.dev>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>