External risk intelligence

OpenStack Keystonemiddleware OAuth2 Token Vulnerability Allows Privilege Escalation

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-22797

The vulnerability exists in OpenStack middleware used to process identity and authentication tokens. OpenStack deployments typically involve public-facing API endpoints and identity services, making the authentication processing layer a common and necessary service exposed to network traffic in typical cloud and infrastructure-as-a-service environments.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects OpenStack's external OAuth 2.0 token processing, potentially allowing authenticated attackers to escalate privileges or impersonate other users by manipulating identity headers. The main concern is confirming if your deployments use this specific middleware and are therefore exposed.

  • Allows attackers to gain higher access or act as others.
  • Critical for verifying if your OpenStack setup is impacted.
  • Confirm exposure of external authentication middleware.

Attack Path

How an attacker could exploit the issue

An attacker with existing access to an OpenStack deployment could target the external OAuth 2.0 token processing feature. By sending specially crafted identity headers, an attacker could trick the system into granting them elevated privileges or allowing them to impersonate other users. This could happen if the deployment uses the vulnerable external_oauth2_token middleware.

  • Authenticated attacker required.
  • Forged identity headers trigger vulnerability.
  • Privilege escalation or user impersonation.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an authenticated attacker could exploit this vulnerability to escalate privileges or impersonate other users by forging authentication headers. This could affect the integrity of user roles and administrative access within the system.

  • User access and administrative roles may be compromised.
  • Forged identity headers could bypass access controls.
  • Unauthorized actions may be performed by attackers.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in OpenStack's external_oauth2_token middleware impacts deployments that process OAuth 2.0 tokens and rely on authentication headers. Owners of OpenStack identity and authentication services, along with platform or infrastructure teams managing these services, are likely responsible for addressing this issue. The first practical step is to identify all instances of the affected middleware, determine their exposure to external networks, and assess business criticality to prioritize remediation efforts.

  • Own the affected OpenStack middleware.
  • Verify external OAuth2 token endpoint exposure.
  • Plan risk-based remediation actions.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenStack keystonemiddleware?

It is a Python library used by OpenStack to handle authentication and authorization. It acts as a gatekeeper for cloud services, ensuring that API requests are verified before they are processed. The specific component here, external_oauth2_token, allows OpenStack to accept and validate tokens issued by third-party identity providers instead of relying solely on internal systems.

What does CWE-290 mean for CVE-2026-22797?

CWE-290 refers to Authentication Bypass by Spoofing. In the context of this CVE, it means the middleware fails to verify the integrity of the identity information it receives. Because it trusts incoming headers without checking them against the actual OAuth 2.0 token, an attacker can essentially lie to the system about who they are or what roles they hold, tricking the software into accepting fake credentials.

How can an attacker trigger this vulnerability?

An attacker needs existing network access to the OpenStack environment to interact with the API. By sending specially crafted HTTP headers—such as X-Roles or X-User-Id—during the token validation process, they can bypass standard access checks. Simply having access to the network is not enough; the attacker must be able to inject these headers into a request being processed by the vulnerable middleware.

Is my infrastructure at risk?

You are likely affected if your OpenStack environment uses the external_oauth2_token middleware. According to Halo Surface Signal, because OpenStack identity services are often reachable via public-facing API endpoints, these environments face a higher probability of being targeted. If your deployment uses this specific middleware to handle external authentication, it is exposed.

How do I start fixing CVE-2026-22797?

The first step is to audit your configuration files to see if the external_oauth2_token middleware is enabled. If you find it in use, check your OpenStack version against the affected releases to confirm if you are on an unpatched build. Prioritize identifying instances that are reachable from outside your internal network, then work with your infrastructure team to apply the necessary software updates to replace the vulnerable middleware.

References