Home

Description

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.

PUBLISHED Reserved 2026-04-14 | Published 2026-04-14 | Updated 2026-04-14 | Assigner mitre




HIGH: 7.7CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

Problem types

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Product status

Default status
unaffected

8.0.0 (semver) before 25.0.1
affected

26.0.0 (semver) before 26.1.1
affected

27.0.0 (semver) before 27.0.1
affected

28.0.0 (semver) before 28.0.1
affected

References

bugs.launchpad.net/keystone/+bug/2121152

bugs.launchpad.net/keystone/+bug/2141713

review.opendev.org/958205

www.openwall.com/lists/oss-security/2026/04/14/9

cve.org (CVE-2026-40683)

nvd.nist.gov (CVE-2026-40683)

Download JSON