OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization

Date:

November 04, 2025

CVE:

CVE-2025-65073

Affects

  • Keystone: <26.0.1, ==27.0.0, ==28.0.0

Description

kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from a presigned S3 URL), an unauthenticated attacker may obtain Keystone authorization for the user associated with the signature (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected.

Errata

CVE-2025-65073 was assigned by MITRE after publication based on a request submitted 2025-09-24 (months prior); if any other CNA has assigned a CVE themselves in the meantime, please reject it so that we don’t end up with duplicates. Further, the description has been extended to clarify token ownership. Backported fixes for the unmaintained/2024.1 branches are now included.

Patches

Credits

  • kay (CVE-2025-65073)

References

Notes

  • While the indicated Keystone patches are sufficient to mitigate this vulnerability, corresponding changes for Swift are included which keep its optional S3-like API working.

  • The unmaintained/2024.1 branches will receive no new point releases, but patches for them are provided as a courtesy.

OSSA History

  • 2025-11-17 - Errata 1

  • 2025-11-04 - Original Version