UBUNTU-CVE-2026-40683

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-40683

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40683.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-40683

Upstream

CVE-2026-40683

Published

2026-04-14T20:16:00Z

Modified

2026-04-16T11:07:24.911788Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the userenabledinvert configuration option is False (the default). The ldaprestomodel method in the UserApi class only performed string-to-boolean conversion when userenabledinvert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without userenabledinvert=True or userenabledemulation are affected.

References

Affected packages

Ubuntu:16.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone@2:9.3.0-0ubuntu3.2?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:8.*

2:8.0.0-0ubuntu1

2:9.*

2:9.0.0~b1-0ubuntu1

2:9.0.0~b2-0ubuntu1

2:9.0.0~b3-0ubuntu1

2:9.0.0~rc1-0ubuntu1

2:9.0.0-0ubuntu1

2:9.0.2-0ubuntu1

2:9.0.2-0ubuntu2

2:9.1.0-0ubuntu1

2:9.2.0-0ubuntu1

2:9.3.0-0ubuntu1

2:9.3.0-0ubuntu2

2:9.3.0-0ubuntu3

2:9.3.0-0ubuntu3.1

2:9.3.0-0ubuntu3.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:9.3.0-0ubuntu3.2",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:9.3.0-0ubuntu3.2",
            "binary_name": "python-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40683.json"

Ubuntu:18.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone@2:13.0.4-0ubuntu1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:12.*

2:12.0.0-0ubuntu1

2:13.*

2:13.0.0~b1-0ubuntu1

2:13.0.0~b2-0ubuntu1

2:13.0.0~b3-0ubuntu1

2:13.0.0~rc1-0ubuntu1

2:13.0.0~rc2-0ubuntu1

2:13.0.0-0ubuntu1

2:13.0.1-0ubuntu1

2:13.0.2-0ubuntu1

2:13.0.2-0ubuntu3

2:13.0.4-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:13.0.4-0ubuntu1",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:13.0.4-0ubuntu1",
            "binary_name": "python-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40683.json"

Ubuntu:22.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone@2:21.0.1-0ubuntu2.2?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:20.*

2:20.0.0-0ubuntu1

2:20.0.0+git2021120815.2ddf8f321-0ubuntu1

2:20.0.0+git2022011217.771c943ad-0ubuntu1

2:20.0.0+git2022030313.a3fc9e7c3-0ubuntu1

2:21.*

2:21.0.0-0ubuntu1

2:21.0.1-0ubuntu1

2:21.0.1-0ubuntu2

2:21.0.1-0ubuntu2.1

2:21.0.1-0ubuntu2.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:21.0.1-0ubuntu2.2",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:21.0.1-0ubuntu2.2",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:21.0.1-0ubuntu2.2",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40683.json"

Ubuntu:24.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone@2:25.0.0-0ubuntu1.2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:24.*

2:24.0.0-0ubuntu1

2:24.0.0+git2024011916.adfa92b4-0ubuntu1

2:25.*

2:25.0.0~rc1-0ubuntu1

2:25.0.0-0ubuntu1

2:25.0.0-0ubuntu1.1

2:25.0.0-0ubuntu1.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:25.0.0-0ubuntu1.2",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:25.0.0-0ubuntu1.2",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:25.0.0-0ubuntu1.2",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40683.json"

Ubuntu:25.10

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone@2:28.0.0-0ubuntu1.1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:27.*

2:27.0.0-0ubuntu1

2:27.0.0+git2025080113.e066e18ab-0ubuntu1

2:28.*

2:28.0.0~rc1-0ubuntu1

2:28.0.0-0ubuntu1

2:28.0.0-0ubuntu1.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:28.0.0-0ubuntu1.1",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:28.0.0-0ubuntu1.1",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:28.0.0-0ubuntu1.1",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40683.json"

Ubuntu:Pro:20.04:LTS

keystone

Package

Name: keystone
Purl: pkg:deb/ubuntu/keystone@2:17.0.1-0ubuntu2+esm1?arch=source&distro=esm-infra/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:16.*

2:16.0.0-0ubuntu1

2:17.*

2:17.0.0~b1~git2019121613.db81fee63-0ubuntu1

2:17.0.0~b2~git2020020513.99733f172-0ubuntu1

2:17.0.0~b3~git2020032415.9f9040257-0ubuntu1

2:17.0.0~b3~git2020032415.9f9040257-0ubuntu2

2:17.0.0~b3~git2020041013.7bb6314e4-0ubuntu1

2:17.0.0-0ubuntu0.20.04.1

2:17.0.1-0ubuntu1

2:17.0.1-0ubuntu2

2:17.0.1-0ubuntu2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2:17.0.1-0ubuntu2+esm1",
            "binary_name": "keystone"
        },
        {
            "binary_version": "2:17.0.1-0ubuntu2+esm1",
            "binary_name": "keystone-common"
        },
        {
            "binary_version": "2:17.0.1-0ubuntu2+esm1",
            "binary_name": "python3-keystone"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40683.json"