Bug#1125680: marked as done (CVE-2026-22797 / OSSA-2026-001: Privilege Escalation via Identity Headers in External OAuth2 Tokens)

Sat, 24 Jan 2026 03:05:21 -0800 

Your message dated Sat, 24 Jan 2026 11:04:15 +0000
with message-id <[email protected]>
and subject line Bug#1125680: fixed in python-keystonemiddleware 
10.9.0-2+deb13u1
has caused the Debian Bug report #1125680,
regarding CVE-2026-22797 / OSSA-2026-001: Privilege Escalation via Identity 
Headers in External OAuth2 Tokens
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1125680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125680
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: python-keystonemiddleware
Version: 10.12.0-2
Severity: grave
Tags: patch

Copying official annoucement:


Date: January 15, 2026
CVE: CVE-2026-22797

Affects Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 
<10.12.1

Description

Grzegorz Grasza with Red Hat reported a vulnerability in the
external_oauth2_token middleware for keystonemiddleware. This middleware
fails to sanitize incoming authentication headers before processing OAuth
2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project,
X-Roles, or X-User-Id, an authenticated attacker may escalate privileges
or impersonate other users. All deployments using the external_oauth2_token
middleware are affected.

Patches:
    https://review.opendev.org/973499 (2024.1/caracal)
    https://review.opendev.org/973497 (2024.2/dalmatian)
    https://review.opendev.org/973496 (2025.1/epoxy)
    https://review.opendev.org/973495 (2025.2/flamingo)
    https://review.opendev.org/973494 (2026.1/gazpacho)

Credits
    Grzegorz Grasza from Red Hat (CVE-2026-22797)

References
    https://launchpad.net/bugs/2129018
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797

Notes:
The unmaintained/2024.1 branches will receive no new point releases, but
patches for them are provided as a courtesy.

This bug was possible because the middleware only conditionally set certain
headers (e.g., X-Is-Admin-Project was only set when the token had admin
privileges), leaving spoofed values intact when conditions were not met.

The fix adds a call to remove_auth_headers() at the start of request
processing to sanitize all incoming identity headers, matching the behavior
of the main auth_token middleware.

The external_oauth2_token middleware was introduced in keystonemiddleware
10.0.0.

--- End Message ---
--- Begin Message --- 
Source: python-keystonemiddleware
Source-Version: 10.9.0-2+deb13u1
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-keystonemiddleware, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-keystonemiddleware 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 15 Jan 2026 08:57:22 +0100
Source: python-keystonemiddleware
Architecture: source
Version: 10.9.0-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1125680
Changes:
 python-keystonemiddleware (10.9.0-2+deb13u1) trixie-security; urgency=medium
 .
   * CVE-2026-22797 / OSSA-2026-001: privilege escalation via spoofed identity
     headers. Applied upstream patch: Fix privilege escalation via spoofed
     identity headers (Closes: #1125680).
Checksums-Sha1:
 0af394e36073f6ea98e99da1a385148cb6802597 3183 
python-keystonemiddleware_10.9.0-2+deb13u1.dsc
 d1c46de69074d5697558a0e95aae5b185b6ec3a5 148388 
python-keystonemiddleware_10.9.0.orig.tar.xz
 762d2343d68004717c841064d37f0be291ca69fd 7308 
python-keystonemiddleware_10.9.0-2+deb13u1.debian.tar.xz
 86bf21e8e6770dbcbcb5e117a2fb9e01cc1588bb 19290 
python-keystonemiddleware_10.9.0-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
 c982e4dabcb83013261042c4547a925508a84b680e1b4140e73c28d28d58c411 3183 
python-keystonemiddleware_10.9.0-2+deb13u1.dsc
 25739e8ca7e4bd3ccbe2d8d51517be7fb41e8268f3c98ac1600a2a70e40ce3ee 148388 
python-keystonemiddleware_10.9.0.orig.tar.xz
 9731209fb403dc2ac5e3b57a8ab1ca260d9f5d6963627c475daf425f4f77aa89 7308 
python-keystonemiddleware_10.9.0-2+deb13u1.debian.tar.xz
 7844984104c8efbfa93a8012c784c4a998cc75246f92b2589aaae7de6f213e64 19290 
python-keystonemiddleware_10.9.0-2+deb13u1_amd64.buildinfo
Files:
 63f47829ece86fcb6522e93adc867903 3183 python optional 
python-keystonemiddleware_10.9.0-2+deb13u1.dsc
 6eddfd1ed4c6430450b1926abee8ab1f 148388 python optional 
python-keystonemiddleware_10.9.0.orig.tar.xz
 c7f6af336e84d43d7850940534a1bbdb 7308 python optional 
python-keystonemiddleware_10.9.0-2+deb13u1.debian.tar.xz
 86d61d85eaa824b0a9ef587bc95eeba4 19290 python optional 
python-keystonemiddleware_10.9.0-2+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmlt64cACgkQ1BatFaxr
Q/4wNA/+OA5tNwsglHcCV60S4o6v5EJo6Z+G02bZM5N28W9VkVC7AuaShDj4IOTB
DP6pGDg/AvRfckcgkympiijqMyX4VQrruxxeD9IXoa2UR7f/ILWrk/i5XbHKhd2W
1GDwgov/gKhhoRq4bh7jn6eIaHESExSOJgJy49G17rx5WpJKeSEDafxsPYt197fH
emsMteTx76Z1BgBrX1JMLaQQS24nJl4PilnABp7OVNw1YxzfNTULYYzKMUAd4aue
XJ8SsUGqHb6y8eJounKPIWAnLYkRzkXd4P6W3+GQDmhACVsvvpAx2D00GduIlCxe
x2bc5JaItKq2zsUFHuXs25q+drGGavbi5IYaduDWEdknEnPObYB3ecqxamWcNTCa
DZsNtlLgFFgSm2dZLKeByhZcE/GxPpRJXKfQtDOL/nLPaF6YmWqEj7sld+tmI1zA
qNNWmiV2rdmJL8qLhaY9/AxiLu/eECqT0pRzAv0zfqztTZ/2JzEV18upvXhJIGAG
8pV06G6mTYSYlwHUgTzVpooflpq6xQ7TWM0GHieUAhBWTInC936JJ7vaZr1Nh6jm
ADfgEN442YKIKrhT7q6XZSPzpAuJhpTa07IX9zpgXH7h6P/65zjzc5s3ksUp9P3O
3GWyUedyK2nEGW2Zhy/AASBbzHmONQPbJbN7keP4BDupcs6U0Cs=
=94wD
-----END PGP SIGNATURE-----

Attachment: pgp2V6nXhS_sx.pgp
Description: PGP signature


--- End Message ---

Reply via email to