Yaook

Download

yaook@lists.alasca.cloud

April 2026

1 participants
1 discussions

[Security Advisory][CVE-2026-33551] Restricted application credentials can create EC2 credentials
by Stefan Hoffmann April 8, 2026

April 8, 2026

Hi, yesterday OpenStack published a security advisory for keystone. The vulnerability is at Keystone’s EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user’s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. keystone version 3.0.81 has the fixed version. With yaook release 1.4.2 and 2.0.1 this will be also fixed in the pinned_versions of the operators. (still in building) You can patch your keystone with this version pin: values: operator: extraEnv: - name: YAOOK_OP_VERSIONS_OVERRIDE value: | registry.yaook.cloud/yaook/keystone-2025.1: registry.yaook.cloud/yaook/keystone-2025.1:3.0.81 Also see our advisory: https://yaook.cloud/security-advisories-cve-2026-33551 Best regards Stefan -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann(a)cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/

1 0