CVE-2026-40683

EPSS 0.02%
Veröffentlicht 14.04.2026 20:05:03
Zuletzt bearbeitet 17.04.2026 15:38:09
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerOpenStack

≫

Produkt Keystone

Default Statusunaffected

Version 8.0.0

Version < 25.0.1

Status affected

Version 26.0.0

Version < 26.1.1

Status affected

Version 27.0.0

Version < 27.0.1

Status affected

Version 28.0.0

Version < 28.0.1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.056

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	7.7	1.8	5.3	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://bugs.launchpad.net/keystone/+bug/2121152

https://bugs.launchpad.net/keystone/+bug/2141713

https://review.opendev.org/958205

https://www.openwall.com/lists/oss-security/2026/04/14/9

https://nvd.nist.gov/vuln/detail/CVE-2026-40683

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40683

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40683

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40683