CVE-2026-22797 Overview
A critical authentication bypass vulnerability has been discovered in OpenStack keystonemiddleware affecting versions 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to properly sanitize incoming authentication headers before processing OAuth 2.0 tokens. This allows authenticated attackers to inject forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id to escalate privileges or impersonate other users within the OpenStack environment.
Critical Impact
Authenticated attackers can escalate privileges to administrative levels or impersonate any user by injecting forged identity headers, potentially compromising the entire OpenStack deployment.
Affected Products
- OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2
- OpenStack keystonemiddleware 10.8 and 10.9 before 10.9.1
- OpenStack keystonemiddleware 10.10 through 10.12 before 10.12.1
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-22797 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-22797
Vulnerability Analysis
This vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and affects the external_oauth2_token middleware component within OpenStack keystonemiddleware. The fundamental issue lies in the middleware's failure to strip or validate pre-existing identity headers from incoming HTTP requests before processing OAuth 2.0 authentication tokens.
In a properly functioning authentication flow, the keystonemiddleware should act as the sole authority for setting identity headers based on the validated authentication token. However, the vulnerable versions trust headers that may already be present in the incoming request, allowing attackers to bypass the normal authentication and authorization flow by pre-populating these headers with arbitrary values.
The network-accessible nature of this vulnerability, combined with the low attack complexity and the ability to impact resources beyond the vulnerable component's security scope, makes this a particularly dangerous flaw for multi-tenant cloud environments.
Root Cause
The root cause is a missing input sanitization step in the external_oauth2_token middleware. When processing incoming requests, the middleware does not clear or validate existing identity headers before setting new values based on the OAuth 2.0 token validation. This allows an attacker to inject forged headers such as:
- X-Is-Admin-Project - Used to grant administrative project privileges
- X-Roles - Used to assign arbitrary roles to the request context
- X-User-Id - Used to impersonate other users in the system
The middleware trusts these headers implicitly, bypassing the proper identity validation that should occur during token processing.
Attack Vector
The attack is network-based and requires low privileges to execute. An authenticated attacker with valid OAuth 2.0 credentials can craft HTTP requests that include forged identity headers alongside their legitimate authentication token. When the vulnerable middleware processes this request, it fails to sanitize the pre-existing headers, allowing the attacker to:
- Escalate their privileges by setting X-Is-Admin-Project: True
- Assign themselves additional roles via the X-Roles header
- Impersonate other users by manipulating the X-User-Id header
The vulnerability is exploited by simply including the forged headers in HTTP requests to any OpenStack service protected by the vulnerable keystonemiddleware. The attacker maintains their legitimate OAuth 2.0 token for initial authentication while the forged headers override or supplement the authorization context derived from that token.
Detection Methods for CVE-2026-22797
Indicators of Compromise
- Unusual patterns of administrative actions from non-privileged user accounts in OpenStack audit logs
- HTTP requests containing identity headers (X-Is-Admin-Project, X-Roles, X-User-Id) originating from external sources rather than being set by the middleware
- Discrepancies between user actions logged and their actual assigned roles in Keystone
- Unexpected cross-project resource access or tenant boundary violations
Detection Strategies
- Implement log correlation to detect privilege escalation patterns where users suddenly perform actions outside their normal role scope
- Deploy network traffic analysis to identify HTTP requests containing pre-populated identity headers targeting OpenStack API endpoints
- Configure SIEM rules to alert on administrative actions performed by users without corresponding admin role assignments in Keystone
- Monitor for authentication anomalies where the same user identity appears in requests from multiple distinct sources simultaneously
Monitoring Recommendations
- Enable detailed audit logging for all OpenStack services, particularly focusing on Keystone authentication events
- Configure alerts for any modifications to project ownership, role assignments, or user identity changes
- Implement real-time monitoring of HTTP headers at the load balancer or reverse proxy layer to detect header injection attempts
- Review historical logs for evidence of exploitation prior to patching
How to Mitigate CVE-2026-22797
Immediate Actions Required
- Upgrade OpenStack keystonemiddleware to patched versions: 10.7.2, 10.9.1, or 10.12.1 depending on your current version branch
- Deploy network-layer header stripping at reverse proxies or load balancers to remove identity headers from incoming external requests
- Audit recent administrative actions and user impersonation events for signs of prior exploitation
- Review and restrict OAuth 2.0 token scopes to minimize potential impact of compromised credentials
Patch Information
Security patches have been released for all affected branches. Organizations should upgrade to the following minimum versions:
- Branch 10.5-10.7: Upgrade to keystonemiddleware version 10.7.2 or later
- Branch 10.8-10.9: Upgrade to keystonemiddleware version 10.9.1 or later
- Branch 10.10-10.12: Upgrade to keystonemiddleware version 10.12.1 or later
For detailed technical information, refer to the Launchpad Bug Report #2129018 and the Openwall OSS-Security Discussion.
Workarounds
- Configure upstream reverse proxies (nginx, HAProxy) to strip identity headers (X-Is-Admin-Project, X-Roles, X-User-Id, X-User-Name, X-User-Domain-Id, X-User-Domain-Name) from all incoming requests
- Implement network segmentation to ensure that only trusted internal services can communicate directly with OpenStack API endpoints
- Consider temporarily disabling the external_oauth2_token middleware if OAuth 2.0 authentication is not strictly required, falling back to alternative authentication methods
- Deploy Web Application Firewall (WAF) rules to detect and block requests containing suspicious identity header patterns
# Nginx configuration to strip identity headers from external requests
# Add to server block handling OpenStack API traffic
location / {
# Strip potentially forged identity headers
proxy_set_header X-Is-Admin-Project "";
proxy_set_header X-Roles "";
proxy_set_header X-User-Id "";
proxy_set_header X-User-Name "";
proxy_set_header X-User-Domain-Id "";
proxy_set_header X-User-Domain-Name "";
proxy_set_header X-Project-Id "";
proxy_set_header X-Project-Name "";
# Forward to OpenStack API backend
proxy_pass http://openstack-api-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
