{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40683", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-14T20:05:01.861Z", "datePublished": "2026-04-14T20:05:03.274Z", "dateUpdated": "2026-04-14T20:14:44.539Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Keystone", "vendor": "OpenStack", "versions": [{"lessThan": "25.0.1", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThan": "26.1.1", "status": "affected", "version": "26.0.0", "versionType": "semver"}, {"lessThan": "27.0.1", "status": "affected", "version": "27.0.0", "versionType": "semver"}, {"lessThan": "28.0.1", "status": "affected", "version": "28.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., \"FALSE\") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "description": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T20:13:59.629Z"}, "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2121152"}, {"url": "https://bugs.launchpad.net/keystone/+bug/2141713"}, {"url": "https://review.opendev.org/958205"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/14/9"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "25.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0.0", "versionEndExcluding": "26.1.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "27.0.0", "versionEndExcluding": "27.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "versionStartIncluding": "28.0.0", "versionEndExcluding": "28.0.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T20:14:37.459439Z", "id": "CVE-2026-40683", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T20:14:44.539Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40683", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T20:14:37.459439Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T20:14:41.085Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenStack", "product": "Keystone", "versions": [{"status": "affected", "version": "8.0.0", "lessThan": "25.0.1", "versionType": "semver"}, {"status": "affected", "version": "26.0.0", "lessThan": "26.1.1", "versionType": "semver"}, {"status": "affected", "version": "27.0.0", "lessThan": "27.0.1", "versionType": "semver"}, {"status": "affected", "version": "28.0.0", "lessThan": "28.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://bugs.launchpad.net/keystone/+bug/2121152"}, {"url": "https://bugs.launchpad.net/keystone/+bug/2141713"}, {"url": "https://review.opendev.org/958205"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/14/9"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., \"FALSE\") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "25.0.1", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "26.1.1", "versionStartIncluding": "26.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "27.0.1", "versionStartIncluding": "27.0.0"}, {"criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "28.0.1", "versionStartIncluding": "28.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T20:13:59.629Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40683", "state": "PUBLISHED", "dateUpdated": "2026-04-14T20:14:44.539Z", "dateReserved": "2026-04-14T20:05:01.861Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T20:05:03.274Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., \"FALSE\") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected."}], "id": "CVE-2026-40683", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.3, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-14T20:16:48.203", "references": [{"source": "cve@mitre.org", "url": "https://bugs.launchpad.net/keystone/+bug/2121152"}, {"source": "cve@mitre.org", "url": "https://bugs.launchpad.net/keystone/+bug/2141713"}, {"source": "cve@mitre.org", "url": "https://review.opendev.org/958205"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/04/14/9"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "OpenStack Keystone: OpenStack Keystone: Unauthorized access due to incorrect LDAP user status handling", "id": "2458472", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458472"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-843", "details": ["A flaw was found in OpenStack Keystone. When using the LDAP identity backend, the system incorrectly processes the user enabled attribute if the user_enabled_invert configuration option is set to False. This error causes users marked as disabled in LDAP to be treated as enabled within Keystone, allowing them to authenticate and perform actions despite their disabled status. This can lead to unauthorized access to resources."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, configure OpenStack Keystone to correctly interpret the LDAP user enabled attribute. Set the `user_enabled_invert` option to `True` in the `keystone.conf` file.\nExample:\n```ini\n[ldap]\nuser_enabled_invert = True\n```\nAfter modifying the configuration, restart the Keystone service for the changes to take effect. This may temporarily disrupt authentication services.\nAdditionally the user should start using an LDAP attribute with inverted semantics (such as nsAccountLock) to match the same semantics of the keystone side."}, "name": "CVE-2026-40683", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "rhosp13/openstack-keystone", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "rhosp-rhel8/openstack-keystone", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "rhosp-rhel9/openstack-keystone", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "rhoso/openstack-keystone-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-04-14T20:05:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40683\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40683\nhttps://bugs.launchpad.net/keystone/+bug/2121152\nhttps://bugs.launchpad.net/keystone/+bug/2141713\nhttps://review.opendev.org/958205\nhttps://www.openwall.com/lists/oss-security/2026/04/14/9"], "statement": "There's a flaw in OpenStack Keystone's LDAP identity backend allows unauthorized access. When the `user_enabled_invert` configuration option is set to its default of `False`, users marked as disabled in LDAP are incorrectly treated as enabled within Keystone. This enables them to authenticate and perform actions, affecting Red Hat OpenStack Platform deployments utilizing the LDAP identity backend without `user_enabled_invert=True` or `user_enabled_emulation` configured.\nThis flaw happens due to the fact that any non-empty string in the Python programing language are handled as `True`, openstack-keystone lacks the proper conversion from string to boolean type when reading the user enabled LDAP attribute when the `user_enabled_invert` configuration is set to false, this will lead to any previously existing user which is disabled in the LDAP side will be handled as enabled by the OpenStack Keystone.\nRed Hat Product Security has rated this flaw as having the severity of Moderate as for exploiting this flaw the attacker needs to have a previous access to the targeted system, additionally the impact will be limited to the same level of access the attacker had previously it had its user disabled in the LDAP side.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,25.0.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[26.0.0,26.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[27.0.0,27.0.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Keystone", "source": "cna", "vendor": "OpenStack"}, "product": "keystone", "vendor": "openstack"}], "analysis": {"en": {"generated_at": "2026-04-14T21:13:25.621341+00:00", "value": {"mitigation_remediation": ["Update Keystone to version 28.0.1 or newer", "Configure the LDAP backend by setting user_enabled_invert=True or enabling user_enabled_emulation", "Verify that disabled users in LDAP cannot authenticate after configuration changes", "If an immediate update is not possible, temporarily disable the LDAP identity backend or block authentication attempts from disabled LDAP accounts"], "summary": {"action": "Immediate Patch", "impact": "Authentication bypass via misinterpreted LDAP disabled users"}, "threat_synthesis": {"affected_systems": "This vulnerability affects deployments of OpenStack Keystone that use the LDAP identity backend and have not set user_enabled_invert to True or enabled user_enabled_emulation. All versions of Keystone released before 28.0.1 are potentially impacted if the default configuration is in use.", "description_and_impact": "OpenStack Keystone versions prior to 28.0.1 do not convert the LDAP user_enabled attribute to a boolean when the user_enabled_invert configuration option is False, the default. Because non\u2011empty strings such as \"FALSE\" evaluate as true in Python, users who are marked as disabled in the LDAP directory are incorrectly treated as enabled by Keystone. This misinterpretation allows an attacker to authenticate with a supposedly disabled user account, granting unauthorized access to Keystone services. The underlying weakness corresponds to CWE\u2011843, an inappropriate type conversion that leads to incorrect logic.", "risk_and_exploitability": "The vulnerability scores a CVSS v3.1 base score of 7.7, indicating high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an adversary who can either exploit an existing LDAP service that feeds Keystone, or manipulate LDAP data to mark a user as disabled while the backend still authenticates them. Given the logic flaw, exploitation is straightforward once the necessary LDAP data is present, and no additional privileges are required beyond a valid LDAP account that is disabled by definition."}}}}, "created": "2026-04-15T14:28:41.000840+00:00", "title": "LDAP Disabled User Attribute Misinterpreted as Enabled Causes Unauthorized Authentication in Keystone", "updated": "2026-04-15T14:41:09.771160+00:00", "vendors": ["openstack", "openstack$PRODUCT$keystone"]}