OpenStack Admin Forgery: CVE-2026-22797 Lets Users ‘Ask’ for Root

A significant security flaw has been closed in the OpenStack cloud infrastructure project, specifically within its identity middleware. The vulnerability, tracked as CVE-2026-22797, is a Privilege Escalation flaw that could allow a standard authenticated user to trick the system into granting them administrative powers or impersonating other users.

The issue resides in the keystonemiddleware, a critical component that handles authentication tokens for OpenStack services.

The vulnerability specifically impacts deployments using the external_oauth2_token middleware. In a secure system, internal authentication headers—which tell the backend who a user is and what they can do—should be strictly managed by the system itself. However, this middleware failed to “sanitize incoming authentication headers before processing OAuth 2.0 tokens”.

This oversight created a dangerous opportunity for forgery. Because the system didn’t scrub these inputs, “by sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users”.

Essentially, an attacker could simply “ask” to be an admin by injecting the X-Is-Admin-Project header, and the system would accept it as truth. The advisory notes that this was possible because the middleware “only conditionally set certain headers… leaving spoofed values intact when conditions [were not met]”.

The flaw affects a specific range of Keystonemiddleware versions:

• Versions >=10.0.0 <10.7.2
• Versions >=10.8.0 <10.9.1
• Versions >=10.10.0 <10.12.1

The advisory warns that “all deployments using the external_oauth2_token middleware are affected”.

The vulnerability was reported by Grzegorz Grasza of Red Hat. In response, the OpenStack team has released patches across multiple release branches, including Caracal (2024.1), Dalmatian (2024.2), Epoxy (2025.1), Flamingo (2025.2), and Gazpacho (2026.1).

Cloud administrators are strongly advised to apply these patches immediately to ensure their OpenStack environments verify user identities correctly, rather than blindly trusting the headers they receive.

Related Posts:

• OpenStack Privilege Escalation Vulnerability
• CVE-2024-40767: OpenStack Nova Vulnerability Exposes Cloud Servers to Data Theft Risk
• CVE-2024-32498: Critical OpenStack Flaw Exposes Cloud Data to Attackers
• OpenStack Ironic Users Urged to Patch Critical Vulnerability (CVE-2024-44082)
• Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)