Cyber Posture

CVE-2026-22797

Critical

Published: 19 January 2026

Published
19 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0014 34.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged…

more

identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of incoming authentication headers to prevent exploitation via forged X-Is-Admin-Project, X-Roles, or X-User-Id headers in the external_oauth2_token middleware.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of software flaws like the keystonemiddleware sanitization failure affecting versions 10.5 through 10.12.

IA-2 Identification and Authentication (Organizational Users) partial match
prevent

Ensures mechanisms for unique identification and authentication of users, mitigating impersonation and privilege escalation from unsanitized OAuth 2.0 token processing.

Security SummaryAI

CVE-2026-22797 is a high-severity vulnerability in OpenStack keystonemiddleware, affecting versions 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers prior to processing OAuth 2.0 tokens, enabling attackers to inject forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id. All deployments utilizing this middleware are vulnerable, with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) and mapped to CWE-290 (Authentication Bypass by Spoofing).

An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By crafting and sending requests with manipulated headers during OAuth 2.0 token processing, the attacker can escalate their privileges or impersonate other users, potentially gaining high confidentiality, integrity, and limited availability impacts across a changed scope.

Advisories recommend upgrading to patched versions: 10.7.2, 10.9.1, or 10.12.1 and later. Detailed discussions and patches are available in the referenced sources, including the Launchpad bug report at https://launchpad.net/bugs/2129018 and oss-security mailing list announcements at https://www.openwall.com/lists/oss-security/2026/01/16/9, http://www.openwall.com/lists/oss-security/2026/01/15/1, http://www.openwall.com/lists/oss-security/2026/01/16/2, and http://www.openwall.com/lists/oss-security/2026/01/16/3.

Details

CWE(s)
CWE-290

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Vulnerability in OpenStack Keystone middleware allows low-privileged authenticated attackers to forge authentication headers (e.g., X-Roles, X-User-Id), directly enabling exploitation of the remote authentication service for privilege escalation and user impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References