YAOOK Security Advisory CVE-2026-42998, CVE-2026-42999, CVE-2026-42300, CVE-2026-42301, CVE-2026-44394

  • Date: 2026-05-28
  • Upstream advisory: TBD

What are CVE-2026-42998, CVE-2026-42999, CVE-2026-42300, CVE-2026-42301, CVE-2026-44394 and how do they affect YAOOK?

These five CVEs in OpenStack Keystone are all post-auth privilege escalation or scope expansion vulnerabilities. All Keystone releases supported by YAOOK are affected. For details of the particular exploitation flows, please consult the upstream advisory.
 
The YAOOK authors consider CVE-2026-42999 to be the most severe one. It allows cross-project privilege escalation by anyone who can obtain a valid OpenStack token, effectively breaking tenant isolation and potentially allowing escalation to cloud admin privileges.

Is my cluster vulnerable?

The following images are vulnerable:
  • keystone images before 3.0.87
  • yaook release before 2.3.0
If this image is used in your cluster for the keystone-api deployment, the cluster is vulnerable.
 
The fixed image has been built in a private pipeline which has been published alongside this advisory to prove the image provenance.

Upgrading

A new stable release will be published according to the release cycle and hotfix releases will be produced starting now. You can upgrade to that release simply by updating your operators.
 
However, due to the severity and low attack complexity of CVE-2026-42999 in particular, we recommend to immediately add a YAOOK_OP_VERSIONS_OVERRIDE variable to your Keystone operator container to pull the image before the YAOOK comprehensive release is ready.
 
The best way to do this is to set the following in the values.yaml of your keystone-operator (make sure to merge this correctly with an existing values.yaml, if you have that).
operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
    value: |
        {
            "registry.yaook.cloud/yaook/keystone-2023.2": "registry.yaook.cloud/yaook/keystone-2023.2:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2024.1": "registry.yaook.cloud/yaook/keystone-2024.1:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2024.2": "registry.yaook.cloud/yaook/keystone-2024.2:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2025.1": "registry.yaook.cloud/yaook/keystone-2025.1:3.0.87",
            "registry.yaook.cloud/yaook/keystone-2025.2": "registry.yaook.cloud/yaook/keystone-2025.2:3.0.87"
        }
If you are not using Helm, you can add the environment variable to the env section of your keystone-operator’s Deployment’s pod template.
en_GB
en_GB