{"id":5353,"date":"2026-06-10T10:21:48","date_gmt":"2026-06-10T08:21:48","guid":{"rendered":"https:\/\/yaook.cloud\/?page_id=5353"},"modified":"2026-06-10T10:38:57","modified_gmt":"2026-06-10T08:38:57","slug":"security-advisories-ossa-2026-007","status":"publish","type":"page","link":"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-007\/","title":{"rendered":"security-advisories\/ossa-2026-007"},"content":{"rendered":"<div data-elementor-type=\"wp-page\" data-elementor-id=\"5353\" class=\"elementor elementor-5353\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-56e0628 e-flex e-con-boxed e-con e-parent\" data-id=\"56e0628\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-050bc69 elementor-widget elementor-widget-text-editor\" data-id=\"050bc69\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h1>YAOOK Security Advisory\u00a0OSSA-2026-007<\/h1><ul><li>Date: 2026-06-10<\/li><li>Upstream advisory: <a href=\"https:\/\/security.openstack.org\/ossa\/OSSA-2026-007.html\">https:\/\/security.openstack.org\/ossa\/OSSA-2026-007.html<\/a><\/li><\/ul><h2>What are OSSA-2026-007 and how do they affect YAOOK?<\/h2><div>These CVE is a vulnerability in the Keystone LDAP identity backend. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.<\/div><h2>Is my cluster vulnerable?<\/h2><div>The following images are vulnerable:<\/div><ul><li>keystone images before 3.0.88<\/li><li>yaook release before 2.3.1<\/li><\/ul><div>If this image is used in your cluster for the keystone-api deployment, the cluster is vulnerable.<\/div><h2>Upgrading<\/h2><div>A new stable release will be published according to the release cycle and hotfix releases will be produced starting now. You can upgrade to that release simply by updating your operators.<\/div><div>\u00a0<\/div><div>However, we recommend to\u00a0add a <a title=\"https:\/\/docs.yaook.cloud\/user\/references\/env-reference.html#envvar-YAOOK_OP_VERSIONS_OVERRIDE\" href=\"https:\/\/docs.yaook.cloud\/user\/references\/env-reference.html#envvar-YAOOK_OP_VERSIONS_OVERRIDE\" target=\"_blank\" rel=\"noopener noreferrer\">YAOOK_OP_VERSIONS_OVERRIDE<\/a>\u00a0variable to your Keystone operator container to pull the image before the YAOOK comprehensive release is ready.<\/div><div>\u00a0<\/div><div>The best way to do this is to set the following in the values.yaml of your keystone-operator (make sure to merge this correctly with an existing values.yaml, if you have that).<\/div><pre class=\"rcx-box rcx-box--full rcx-css-1siaxf\" role=\"region\" data-code-block-wrapper=\"true\"><code class=\"code-colors language-yaml hljs\"><span class=\"hljs-attr\">operator:<\/span>\n    <span class=\"hljs-attr\">extraEnv:<\/span>\n    <span class=\"hljs-bullet\">-<\/span> <span class=\"hljs-attr\">name:<\/span> <span class=\"hljs-string\">YAOOK_OP_VERSIONS_OVERRIDE<\/span>\n    <span class=\"hljs-attr\">value:<\/span> <span class=\"hljs-string\">|\n        {\n            \"registry.yaook.cloud\/yaook\/keystone-2023.2\": \"registry.yaook.cloud\/yaook\/keystone-2023.2:3.0.88\",\n            \"registry.yaook.cloud\/yaook\/keystone-2024.1\": \"registry.yaook.cloud\/yaook\/keystone-2024.1:3.0.88\",\n            \"registry.yaook.cloud\/yaook\/keystone-2024.2\": \"registry.yaook.cloud\/yaook\/keystone-2024.2:3.0.88\",\n            \"registry.yaook.cloud\/yaook\/keystone-2025.1\": \"registry.yaook.cloud\/yaook\/keystone-2025.1:3.0.88\",\n            \"registry.yaook.cloud\/yaook\/keystone-2025.2\": \"registry.yaook.cloud\/yaook\/keystone-2025.2:3.0.88\"\n        }<\/span><\/code><\/pre><div>If you are not using Helm, you can add the environment variable to the <code class=\"code-colors inline\">env<\/code>\u00a0section of your keystone-operator's Deployment's pod template.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>YAOOK Security Advisory\u00a0OSSA-2026-007 Date: 2026-06-10 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-007.html What are OSSA-2026-007 and how do they affect YAOOK? These CVE is a vulnerability in the Keystone LDAP identity backend. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5353","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>security-advisories\/ossa-2026-007 &#187; Yaook<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-007\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"security-advisories\/ossa-2026-007 &#187; Yaook\" \/>\n<meta property=\"og:description\" content=\"YAOOK Security Advisory\u00a0OSSA-2026-007 Date: 2026-06-10 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-007.html What are OSSA-2026-007 and how do they affect YAOOK? These CVE is a vulnerability in the Keystone LDAP identity backend. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-007\/\" \/>\n<meta property=\"og:site_name\" content=\"Yaook\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-10T08:38:57+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-007\\\/\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-007\\\/\",\"name\":\"security-advisories\\\/ossa-2026-007 &#187; Yaook\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\"},\"datePublished\":\"2026-06-10T08:21:48+00:00\",\"dateModified\":\"2026-06-10T08:38:57+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-007\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-007\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-007\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/yaook.cloud\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"security-advisories\\\/ossa-2026-007\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"name\":\"Yaook\",\"description\":\"The Lifecycle Management Tool for OpenStack\",\"publisher\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/yaook.cloud\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\",\"name\":\"ALASCA e.V.\",\"alternateName\":\"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"contentUrl\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"width\":512,\"height\":512,\"caption\":\"ALASCA e.V.\"},\"image\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"security-advisories\/ossa-2026-007 &#187; Yaook","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-007\/","og_locale":"en_GB","og_type":"article","og_title":"security-advisories\/ossa-2026-007 &#187; Yaook","og_description":"YAOOK Security Advisory\u00a0OSSA-2026-007 Date: 2026-06-10 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-007.html What are OSSA-2026-007 and how do they affect YAOOK? These CVE is a vulnerability in the Keystone LDAP identity backend. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as [&hellip;]","og_url":"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-007\/","og_site_name":"Yaook","article_modified_time":"2026-06-10T08:38:57+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-007\/","url":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-007\/","name":"security-advisories\/ossa-2026-007 &#187; Yaook","isPartOf":{"@id":"https:\/\/yaook.cloud\/#website"},"datePublished":"2026-06-10T08:21:48+00:00","dateModified":"2026-06-10T08:38:57+00:00","breadcrumb":{"@id":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-007\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/yaook.cloud\/security-advisories-ossa-2026-007\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-007\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/yaook.cloud\/"},{"@type":"ListItem","position":2,"name":"security-advisories\/ossa-2026-007"}]},{"@type":"WebSite","@id":"https:\/\/yaook.cloud\/#website","url":"https:\/\/yaook.cloud\/","name":"Yaook","description":"The Lifecycle Management Tool for OpenStack","publisher":{"@id":"https:\/\/yaook.cloud\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/yaook.cloud\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/yaook.cloud\/#organization","name":"ALASCA e.V.","alternateName":"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.","url":"https:\/\/yaook.cloud\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/","url":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","contentUrl":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","width":512,"height":512,"caption":"ALASCA e.V."},"image":{"@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/comments?post=5353"}],"version-history":[{"count":10,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5353\/revisions"}],"predecessor-version":[{"id":5374,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5353\/revisions\/5374"}],"wp:attachment":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/media?parent=5353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}