Hi,

OpenStack published a bunsh of CVEs at keystone.

These five CVEs in OpenStack Keystone are all post-auth privilege escalation or scope expansion vulnerabilities. All Keystone releases supported by YAOOK are affected. For details of the particular exploitation flows, please consult the upstream advisory.
 
The YAOOK authors consider CVE-2026-42999 to be the most severe one. It allows cross-project privilege escalation by anyone who can obtain a valid OpenStack token, effectively breaking tenant isolation and potentially allowing escalation to cloud admin privileges.

The following images are vulnerable:
If this image is used in your cluster for the keystone-api deployment, the cluster is vulnerable.
The fixed image has been built in a private pipeline[1] which has been published alongside this advisory to prove the image provenance.

We recommend to immediately add a YAOOK_OP_VERSIONS_OVERRIDE[2] variable to your Keystone operator container to pull the image before the YAOOK comprehensive release is ready.

operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
    value: |
        {
            "registry.yaook.cloud/yaook/keystone-2023.2": "registry.yaook.cloud/yaook/keystone-2023.2:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2024.1": "registry.yaook.cloud/yaook/keystone-2024.1:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2024.2": "registry.yaook.cloud/yaook/keystone-2024.2:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2025.1": "registry.yaook.cloud/yaook/keystone-2025.1:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2025.2": "registry.yaook.cloud/yaook/keystone-2025.2:3.0.87"
        }

More info can be found in our security advisory[3].

Regards
Stefan

[1] https://gitlab.com/yaook-security/images/keystone/-/pipelines/2556551510
[2] https://docs.yaook.cloud/user/references/env-reference.html#envvar-YAOOK_OP_VERSIONS_OVERRIDE
[3] https://yaook.cloud/security-advisories-cve-2026-42998-43001-44394/

-- 
Stefan Hoffmann
DevOps Engineer

Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 36
stefan.hoffmann@cloudandheat.com | www.cloudandheat.com

Green, Open, Efficient.
Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden.
https://www.cloudandheat.com/

Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann