Every CVE whose affected-product data names Openstack Keystone, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (44)
CVE-2020-12691 — CVSS 8.8 (high): An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves…
CVE-2019-19687 — CVSS 8.8 (high): OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to…
CVE-2020-12689 — CVSS 8.8 (high): An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope…
CVE-2020-12690 — CVSS 8.8 (high): An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently…
CVE-2026-43001 — CVSS 7.9 (high): An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for…
CVE-2014-2828 — CVSS 7.8 (high): The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a…
CVE-2012-4456 — CVSS 7.5 (high): The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly…
CVE-2015-7546 — CVSS 7.5 (high): The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware…
CVE-2021-38155 — CVSS 7.5 (high): OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information…
CVE-2021-3563 — CVSS 7.4 (high): A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some…
CVE-2022-2447 — CVSS 6.6 (medium): A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token…
CVE-2014-0204 — CVSS 6.5 (medium): OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user…
CVE-2013-0270 — CVSS 6.5 (medium): A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by…
CVE-2013-4222 — CVSS 6.5 (medium): OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a…
CVE-2014-3520 — CVSS 6.5 (medium): OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain…
CVE-2026-44394 — CVSS 6.0 (medium): An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the…
CVE-2013-2059 — CVSS 6.0 (medium): OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the…
CVE-2014-3476 — CVSS 6.0 (medium): OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation…
CVE-2026-42998 — CVSS 6.0 (medium): An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that…
CVE-2026-42999 — CVSS 6.0 (medium): An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the…
CVE-2026-43000 — CVSS 6.0 (medium): An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an…
CVE-2013-2255 — CVSS 5.9 (medium): HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate…
CVE-2013-6391 — CVSS 5.8 (medium): The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped…
CVE-2020-12692 — CVSS 5.4 (medium): An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature…
CVE-2018-20170 — CVSS 5.3 (medium): OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones…
CVE-2018-14432 — CVSS 5.3 (medium): In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects"…
CVE-2013-4294 — CVSS 5.0 (medium): The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly…
CVE-2013-2014 — CVSS 5.0 (medium): OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via…
CVE-2013-0282 — CVSS 5.0 (medium): OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or…
CVE-2013-0247 — CVSS 5.0 (medium): OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to…
CVE-2014-2237 — CVSS 5.0 (medium): The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before…
CVE-2014-5251 — CVSS 4.9 (medium): The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the…
CVE-2012-3426 — CVSS 4.9 (medium): OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token…
CVE-2014-5253 — CVSS 4.9 (medium): OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is…
CVE-2014-5252 — CVSS 4.9 (medium): The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2…
CVE-2013-2157 — CVSS 4.3 (medium): OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass…
CVE-2015-3646 — CVSS 4.0 (medium): OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which…
CVE-2012-4413 — CVSS 4.0 (medium): OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to…
CVE-2014-3621 — CVSS 4.0 (medium): The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users…
CVE-2012-4457 — CVSS 4.0 (medium): OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants…
CVE-2026-33551 — CVSS 3.5 (low): An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials…
CVE-2013-2006 — CVSS 2.1 (low): OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in…
CVE-2012-5483 — CVSS 2.1 (low): tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses…