OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization

Date:

November 04, 2025

CVE:

PENDING

Affects

• Keystone: <26.0.1, ==27.0.0, ==28.0.0

Description

kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from a presigned S3 URL), an unauthenticated attacker may obtain Keystone authorization (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected.

Patches

• https://review.opendev.org/966073 (2024.2/dalmatian(keystone))

• https://review.opendev.org/966067 (2024.2/dalmatian(swift))

• https://review.opendev.org/966071 (2025.1/epoxy(keystone))

• https://review.opendev.org/966064 (2025.1/epoxy(swift))

• https://review.opendev.org/966070 (2025.2/flamingo(keystone))

• https://review.opendev.org/966063 (2025.2/flamingo(swift))

• https://review.opendev.org/966069 (2026.1/gazpacho(keystone))

• https://review.opendev.org/966062 (2026.1/gazpacho(swift))

Credits

• kay (PENDING)

References

• https://launchpad.net/bugs/2119646

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=PENDING

Notes

• While the indicated Keystone patches are sufficient to mitigate this vulnerability, corresponding changes for Swift are included which keep its optional S3-like API working.

• MITRE CVE Request 1930434 has been awaiting assignment since 2025-09-24, but once completed will result in an errata revision to this advisory reflecting the correct CVE ID. If any other CNA has assigned a CVE themselves in the meantime, please reject it so that we don’t end up with duplicates.