Keystone is OpenStack’s identity service. It decides who you are and what you’re allowed to do inside the cloud. When something breaks there, the problem doesn’t stay in one corner. It spreads across every service that trusts Keystone to authenticate and authorize requests. That’s why DSA-6331-1, published by Debian’s security team on 8 June 2026, deserves a look if you run OpenStack on Debian.
What got fixed
The patch bundles several vulnerabilities. The advisory’s headline is CVE-2026-44394, but the update also ships fixes for CVE-2026-42998, CVE-2026-42999, CVE-2026-43000 and CVE-2026-43001. Together, these flaws could lead to four kinds of unwanted behavior:
- Authorization bypass: performing actions you shouldn’t have permission for.
- Privilege escalation: moving from a limited role to one with more capabilities.
- User impersonation: acting on behalf of another account.
- Incomplete termination of access privileges: a credential or permission staying valid after it should have been revoked.
That last one is the quietest of the four. You revoke a token or strip a role and assume access is closed, but it isn’t, not entirely. In a multitenant setup, where several customers share the same infrastructure, that kind of bug can mean someone keeps seeing or touching resources that are no longer theirs.
Who’s affected
Any OpenStack deployment using the Keystone packages Debian ships. The advisory covers two branches:
- Debian 12 (Bookworm), where the flaw is fixed in version
2:22.0.2-0+deb12u3. - Debian 13 (Trixie), fixed in
2:27.0.0-3+deb13u4.
Both updates also fold in two extra patches (CVE-2026-40683 and CVE-2026-33551) that were lined up for upcoming point releases and that Debian chose to bring forward in this same package.
Severity and mitigation
Debian doesn’t assign its own CVSS scores in these advisories, but the combination of impacts (impersonation and escalation among them) puts this in the high-severity range. There’s no public sign of active exploitation as of disclosure, which isn’t a reason to wait: authorization bugs in an identity service are exactly the sort of thing an attacker with a foothold inside the cloud would go after.
The mitigation is straightforward. Upgrade the Keystone package to the fixed version for your branch:
sudo apt update
sudo apt install keystoneAfter installing, restart the Keystone services (or whatever WSGI server runs it in your deployment) so the new code actually takes effect. If you manage the cloud with orchestration tools like Kolla, or a manual Apache/uWSGI setup, confirm the service truly reloads. An apt install that isn’t followed by a process restart leaves the old code running in memory.
If you run Debian in production, it pays to track security advisories closely and plan updates for the kernel and critical services. We cover the distro on our Debian page.
Source
- Official advisory: Debian Security Announce – DSA-6331-1 keystone
- CVE detail: CVE-2026-44394 on NVD