VDB

DEBIAN-CVE-2026-22797

DEBIAN-CVE-2026-22797 PUBLISHED CVSS 9.899999618530273 CRITICAL

An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.

Risk Scores

CVSS 3.1
9.899999618530273
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Affected Products

VendorProductVersions
Debian:13python-keystonemiddleware0, 10.9.0-2, 0
Debian:14python-keystonemiddleware0, 10.12.0-1, 10.12.0-2

Timeline

  • Jan 19, 2026 CVE Published
  • Apr 28, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›