YAOOK Security Advisory for CVE-2026-22797
- Date: 2026-01-15
- Upstream advisory: https://security.openstack.org/ossa/OSSA-2026-001.html
- Upstream bug report: https://launchpad.net/bugs/2129018
What is CVE-2026-22797 and how does it affect YAOOK?
The CVE is a vulnerability in OpenStack keystonemiddleware which allows Privilege Escalation via Identity Headers in External OAuth2 Tokens. It needs the external_oauth2_token middleware for keystonemiddleware enabled.
This middleware needs to be activated in api-paste.ini of keystone. As we currently don't allow the user to override this file and at our images the middleware is not activated, Yaook deployments are not affected.
Is my cluster vulnerable?
As the middleware can't get activated for yaook clusters currently, no yaook cluster is vulnerable due to that CVE.
Due to that, Yaook will NOT provide hotfixed images or releases. But the upstream OpenStack patches will be added to the new images and get released as soon as the image-pins got updated into the operator-repo, like any other change of upstream.
