CVE-2025-65073
Publication date 4 November 2025
Last updated 11 December 2025
Ubuntu priority
Description
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| keystone | 25.10 questing |
Fixed 2:28.0.0-0ubuntu1.1
|
| 25.04 plucky |
Fixed 2:27.0.0-0ubuntu1.1
|
|
| 24.04 LTS noble |
Fixed 2:25.0.0-0ubuntu1.1
|
|
| 22.04 LTS jammy |
Fixed 2:21.0.1-0ubuntu2.1
|
|
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| swift | 25.10 questing |
Fixed 2.36.0-0ubuntu1.1
|
| 25.04 plucky |
Fixed 2.35.0-0ubuntu1.1
|
|
| 24.04 LTS noble |
Fixed 2.33.0-0ubuntu1.1
|
|
| 22.04 LTS jammy |
Fixed 2.29.2-0ubuntu1.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| heat | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Notes
mdeslaur
Affects: <25.0.1, ==26.0.0, ==27.0.0, ==28.0.0 This issue had no CVE number at the time of USN publication. The heat and swift packages aren't vulnerable to this issue, but they are listed here as they need compatibility fixes to go with the keystone update. Marking priority for them as "negligible" since there is no true security impact to them. We will not be fixing this issue in focal and earlier as the fix relies on "Consistent and Secure RBAC" functionnality only available in later releases and requires a newer oslo.policy than what is available in focal.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-7926-1
- OpenStack Keystone vulnerabilities
- 11 December 2025