{"id":5272,"date":"2026-04-08T16:14:58","date_gmt":"2026-04-08T14:14:58","guid":{"rendered":"https:\/\/yaook.cloud\/?page_id=5272"},"modified":"2026-04-08T16:25:09","modified_gmt":"2026-04-08T14:25:09","slug":"security-advisories-cve-2026-33551","status":"publish","type":"page","link":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-33551\/","title":{"rendered":"security-advisories\/cve-2026-33551"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"5272\" class=\"elementor elementor-5272\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-56e0628 e-flex e-con-boxed e-con e-parent\" data-id=\"56e0628\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-050bc69 elementor-widget elementor-widget-text-editor\" data-id=\"050bc69\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h1>YAOOK Security Advisory for CVE-2026-33551<\/h1>\n<ul>\n<li>Date: 2026-04-08<\/li>\n<li>Upstream advisory: <a href=\"https:\/\/security.openstack.org\/ossa\/OSSA-2026-005.html\">https:\/\/security.openstack.org\/ossa\/OSSA-2026-005.html<\/a><\/li>\n<li>Upstream bug report: <a href=\"https:\/\/bugs.launchpad.net\/swift\/+bug\/2142138\">https:\/\/bugs.launchpad.net\/swift\/+bug\/2142138<\/a><\/li>\n<\/ul>\n<h2>What is CVE-2026-33551 and how does it affect YAOOK?<\/h2>\n<p>OpenStack allows the creation of Application Credentials to give its bearer access to a project with the privileges of the user who created the AppCreds.<br \/>Application Credentials can have a limited lifetime and can be revoked. They can also be _restricted_ (which means that they can not be used to create<br \/>additional application credentials) or can be assigned roles with lower privileges, limiting the privileges that the bearer has.<\/p>\n<p>When AppCreds are used to create EC2 credentials, keystone failed to require _unrestricted_ AppCreds and failed to require the member role,<br \/>giving AppCreds that are _restricted_ or that have limited roles the ability to create EC2 credentials with the full privileges of the user<br \/>who created the AppCred.<\/p>\n<p>This issue was reported by Maxence Bornecque from Orange Cyberdefense CERT Vulnerability Intelligence Watch Team and has been assigned [CVE-2026-33551](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33551).<\/p>\n<p>This issue affects OpenStack environments that allow the creation of EC2 style credentials, which is typically used for S3 access or EC2 compatibility. This is typically the case for SCS clouds, as S3 compatibility is a requirement.<\/p>\n<p>This text is copied from the SCS advisory.<\/p>\n<h2>Is my cluster vulnerable?<\/h2>\n<p>The following images are vulnerable:<\/p>\n<ul>\n<li>keystone images BEFORE <span class=\"line\" data-lang=\"yaml\"><span class=\"s\">3.0.<span class=\"idiff left right addition\">81<\/span><\/span><\/span><\/li>\n<li>Yaook versions &lt;= v1.4.1 and 1.5.0 &#8211; 2.0.1<\/li>\n<\/ul>\n<p>If any of these images are used in your cluster, the cluster is vulnerable.<\/p>\n<h2 id=\"upgrading\">Upgrading<\/h2>\n<p>A new stable release <span data-testid=\"commit-title\">1.4.2<\/span>\u00a0has been published today. You can upgrade to that release simply by updating your operators.<\/p>\n<p>Release 2.0.2 will also have this fix.<\/p>\n<p>If you don&#8217;t want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed):<\/p>\n<p><code>values:<br \/>\u00a0 operator:<br \/>\u00a0 \u00a0 extraEnv:<br \/>\u00a0 \u00a0 - name: YAOOK_OP_VERSIONS_OVERRIDE<br \/>\u00a0 \u00a0 \u00a0 value: |<br \/>\u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/code><code class=\"code-colors hljs language-yaml\"><span class=\"hljs-string\">registry.yaook.cloud\/yaook\/keystone-2025.1: registry.yaook.cloud\/yaook\/keystone-2025.1:3.0.81<\/span><\/code><code><\/code><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>YAOOK Security Advisory for CVE-2026-33551 Date: 2026-04-08 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-005.html Upstream bug report: https:\/\/bugs.launchpad.net\/swift\/+bug\/2142138 What is CVE-2026-33551 and how does it affect YAOOK? OpenStack allows the creation of Application Credentials to give its bearer access to a project with the privileges of the user who created the AppCreds.Application Credentials can have a limited lifetime and [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5272","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>security-advisories\/cve-2026-33551 &#187; Yaook<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-33551\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"security-advisories\/cve-2026-33551 &#187; Yaook\" \/>\n<meta property=\"og:description\" content=\"YAOOK Security Advisory for CVE-2026-33551 Date: 2026-04-08 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-005.html Upstream bug report: https:\/\/bugs.launchpad.net\/swift\/+bug\/2142138 What is CVE-2026-33551 and how does it affect YAOOK? OpenStack allows the creation of Application Credentials to give its bearer access to a project with the privileges of the user who created the AppCreds.Application Credentials can have a limited lifetime and [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-33551\/\" \/>\n<meta property=\"og:site_name\" content=\"Yaook\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-08T14:25:09+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-33551\\\/\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-33551\\\/\",\"name\":\"security-advisories\\\/cve-2026-33551 &#187; Yaook\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\"},\"datePublished\":\"2026-04-08T14:14:58+00:00\",\"dateModified\":\"2026-04-08T14:25:09+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-33551\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-33551\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2026-33551\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/yaook.cloud\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"security-advisories\\\/cve-2026-33551\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"name\":\"Yaook\",\"description\":\"The Lifecycle Management Tool for OpenStack\",\"publisher\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/yaook.cloud\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\",\"name\":\"ALASCA e.V.\",\"alternateName\":\"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"contentUrl\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"width\":512,\"height\":512,\"caption\":\"ALASCA e.V.\"},\"image\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"security-advisories\/cve-2026-33551 &#187; Yaook","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-33551\/","og_locale":"en_GB","og_type":"article","og_title":"security-advisories\/cve-2026-33551 &#187; Yaook","og_description":"YAOOK Security Advisory for CVE-2026-33551 Date: 2026-04-08 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-005.html Upstream bug report: https:\/\/bugs.launchpad.net\/swift\/+bug\/2142138 What is CVE-2026-33551 and how does it affect YAOOK? OpenStack allows the creation of Application Credentials to give its bearer access to a project with the privileges of the user who created the AppCreds.Application Credentials can have a limited lifetime and [&hellip;]","og_url":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2026-33551\/","og_site_name":"Yaook","article_modified_time":"2026-04-08T14:25:09+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2026-33551\/","url":"https:\/\/yaook.cloud\/security-advisories-cve-2026-33551\/","name":"security-advisories\/cve-2026-33551 &#187; Yaook","isPartOf":{"@id":"https:\/\/yaook.cloud\/#website"},"datePublished":"2026-04-08T14:14:58+00:00","dateModified":"2026-04-08T14:25:09+00:00","breadcrumb":{"@id":"https:\/\/yaook.cloud\/security-advisories-cve-2026-33551\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/yaook.cloud\/security-advisories-cve-2026-33551\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2026-33551\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/yaook.cloud\/"},{"@type":"ListItem","position":2,"name":"security-advisories\/cve-2026-33551"}]},{"@type":"WebSite","@id":"https:\/\/yaook.cloud\/#website","url":"https:\/\/yaook.cloud\/","name":"Yaook","description":"The Lifecycle Management Tool for OpenStack","publisher":{"@id":"https:\/\/yaook.cloud\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/yaook.cloud\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/yaook.cloud\/#organization","name":"ALASCA e.V.","alternateName":"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.","url":"https:\/\/yaook.cloud\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/","url":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","contentUrl":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","width":512,"height":512,"caption":"ALASCA e.V."},"image":{"@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/comments?post=5272"}],"version-history":[{"count":7,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5272\/revisions"}],"predecessor-version":[{"id":5279,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5272\/revisions\/5279"}],"wp:attachment":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/media?parent=5272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}