CVE-2025-65073: 
Python vulnerability analysis and mitigation

OpenStack Keystone versions before 26.0.1, 27.0.0, and 28.0.0 contain a vulnerability (CVE-2025-65073) that affects the ec2tokens and s3tokens APIs. The vulnerability was discovered by a researcher named kay and was publicly disclosed on November 4, 2025. The affected component is the Keystone authentication service in OpenStack, specifically impacting deployments where /v3/ec2tokens or /v3/s3tokens endpoints are accessible to unauthenticated clients (OpenStack Advisory).

The vulnerability exists in Keystone's ec2tokens and s3tokens APIs where an unauthenticated attacker can send requests with valid AWS Signatures (such as from presigned S3 URLs) to obtain unauthorized Keystone authorization. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N. The weakness has been classified as CWE-863 (Incorrect Authorization) (NVD).

The exploitation of this vulnerability can lead to unauthorized access and privilege escalation. When successfully exploited, attackers can obtain Keystone authorization, where ec2tokens can yield a fully scoped token, and s3tokens can reveal scope accepted by some services. This particularly affects deployments where the vulnerable endpoints are exposed on public APIs (OpenStack Advisory).

Patches have been released for multiple versions of OpenStack Keystone. While the Keystone patches are sufficient to mitigate the vulnerability, corresponding changes for Swift have been included to maintain compatibility with its optional S3-like API. Organizations should upgrade to Keystone version 26.0.1 or later. The fixes have been backported to various branches including 2024.2/dalmatian, 2025.1/epoxy, 2025.2/flamingo, and 2026.1/gazpacho (OpenStack Advisory).