YAOOK Security Advisory for CVE-2026-33551
- Date: 2026-04-08
- Upstream advisory: https://security.openstack.org/ossa/OSSA-2026-005.html
- Upstream bug report: https://bugs.launchpad.net/swift/+bug/2142138
What is CVE-2026-33551 and how does it affect YAOOK?
OpenStack allows the creation of Application Credentials to give its bearer access to a project with the privileges of the user who created the AppCreds.
Application Credentials can have a limited lifetime and can be revoked. They can also be _restricted_ (which means that they can not be used to create
additional application credentials) or can be assigned roles with lower privileges, limiting the privileges that the bearer has.
When AppCreds are used to create EC2 credentials, keystone failed to require _unrestricted_ AppCreds and failed to require the member role,
giving AppCreds that are _restricted_ or that have limited roles the ability to create EC2 credentials with the full privileges of the user
who created the AppCred.
This issue was reported by Maxence Bornecque from Orange Cyberdefense CERT Vulnerability Intelligence Watch Team and has been assigned [CVE-2026-33551](https://nvd.nist.gov/vuln/detail/CVE-2026-33551).
This issue affects OpenStack environments that allow the creation of EC2 style credentials, which is typically used for S3 access or EC2 compatibility. This is typically the case for SCS clouds, as S3 compatibility is a requirement.
This text is copied from the SCS advisory.
Is my cluster vulnerable?
The following images are vulnerable:
- keystone images BEFORE 3.0.81
- Yaook versions <= v1.4.1 and 1.5.0 – 2.0.1
If any of these images are used in your cluster, the cluster is vulnerable.
Upgrading
A new stable release 1.4.2 has been published today. You can upgrade to that release simply by updating your operators.
Release 2.0.2 will also have this fix.
If you don't want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed):
values:
operator:
extraEnv:
- name: YAOOK_OP_VERSIONS_OVERRIDE
value: |
registry.yaook.cloud/yaook/keystone-2025.1: registry.yaook.cloud/yaook/keystone-2025.1:3.0.81
