[Yaook] [Security Advisory][CVE-2026-42301] Unrestricted application credential can cross project boundaries

May 27, 2026

      Hi yaook users,

OpenStack published a Bug for keystone[1]. CVE-2026-42301 allows an 
attacker who gets hold of an unrestricted application credential to 
cross project boundaries to another project, if that project is 
accessible to the user who created the application credential. Thus, the 
project scoping of application credentials is broken.

Also check our Security Advisory[2].

The following images are vulnerable:

– keystone images before 3.0.86
– yaook release before 2.2.1 (<= 2.2.0)

If this image is used in your cluster for the keystone-api deployment, 
the cluster is vulnerable.

A new stable release will be published according to the release cycle.
You can upgrade to that release simply by updating your operators.

If you want to upgrade in advance you can pin your keystone image to
3.0.86 in the keystone-operator (adjust the OpenStack version to the 
version you have deployed):

|values:
   operator:
     extraEnv:
     - name: YAOOK_OP_VERSIONS_OVERRIDE
       value: |
||          {
               "registry.yaook.cloud/yaook/keystone-2023.2": 
"registry.yaook.cloud/yaook/keystone-2023.2:3.0.86",
               "registry.yaook.cloud/yaook/keystone-2024.1": 
"registry.yaook.cloud/yaook/keystone-2024.1:3.0.86",
               "registry.yaook.cloud/yaook/keystone-2024.2": 
"registry.yaook.cloud/yaook/keystone-2024.2:3.0.86",
               "registry.yaook.cloud/yaook/keystone-2025.1": 
"registry.yaook.cloud/yaook/keystone-2025.1:3.0.86",
               "registry.yaook.cloud/yaook/keystone-2025.2": 
"registry.yaook.cloud/yaook/keystone-2025.2:3.0.86"
           }|

Best regards
Stefan

[1] https://bugs.launchpad.net/keystone/+bug/2149775
[2] https://yaook.cloud/security-advisories-cve-2026-42301/

-- 
Stefan Hoffmann
DevOps Engineer

Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 36
stefan.hoffmann@cloudandheat.com |www.cloudandheat.com

Green, Open, Efficient.
Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden.
https://www.cloudandheat.com/

Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann