Hi,

in the last weeks some further CVEs got published by OpenStack.

The patches are mostly already in the upstream branches, we build backports for not supported versions. But our images needed to be rebuild to fetch the new changes.

These keystone CVE is a vulnerability in the Keystone LDAP identity backend. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.

The CVEs in OpenStack Neutron allow bypassing policies for ports or tagging.

• keystone images before 3.0.88
• neutron images before 1.0.191
• yaook release before 2.3.1

If this images are used in your cluster for keystone-api/neutron-api deployment, the cluster is vulnerable.

Also check the security advisories for keystone[1] and neutron[2] how to update your deployments.

Regards
Stefan

[1] https://yaook.cloud/security-advisories-ossa-2026-007/
[2] https://yaook.cloud/security-advisories-cve-2026-49299-50266/

-- 
Stefan Hoffmann
DevOps Engineer

Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 36
stefan.hoffmann@cloudandheat.com | www.cloudandheat.com

Green, Open, Efficient.
Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden.
https://www.cloudandheat.com/

Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann