Introduction
Attackers can impersonate OpenStack cloud users and gain unauthorized access to cloud resources by replaying AWS signatures from presigned URLs. This issue affects OpenStack Keystone, the identity service at the core of many private and public cloud deployments, and has direct consequences for organizations relying on EC2 or S3 compatible APIs for automation, storage, or registry integration.
OpenStack is a leading open source cloud infrastructure platform, powering clouds for enterprises, service providers, and research institutions worldwide. Keystone, its identity service, is responsible for authentication and authorization across all OpenStack components. The scale and importance of OpenStack in the cloud ecosystem make vulnerabilities in Keystone particularly impactful.
Technical Information
CVE-2025-65073 is a high-severity authorization bypass in OpenStack Keystone's EC2 and S3 token endpoints. The flaw is present in Keystone versions before 26.0.1, 27.0.0, and 28.0.0. The vulnerability centers on how the /v3/ec2tokens and /v3/s3tokens endpoints process AWS Signature Version 4 credentials.
When a request is made to these endpoints with a valid AWS signature (such as one embedded in a presigned S3 URL), Keystone validates the signature and may grant authorization without verifying that the requester actually possesses the AWS secret access key. This happens because the endpoints do not perform sufficient pre-authentication checks before signature validation. As a result, anyone with access to a valid presigned URL can replay the signature to Keystone and obtain a fully scoped token (via ec2tokens) or retrieve project and scope information (via s3tokens) for the associated account.
The root cause is an incorrect authorization check (CWE-863) that allows signature replay attacks. The ec2tokens endpoint is particularly critical, as it can issue a full Keystone token with all associated permissions. The s3tokens endpoint leaks metadata about account scope and project associations, which can aid further attacks. The attack window for ec2tokens is limited by the TTL of the presigned URL, but s3tokens may leak information even after expiration.
No vulnerable code snippets are available in public sources. Exploit details are discussed in the official advisory and Launchpad bug report.
Affected Systems and Versions
- OpenStack Keystone versions before 26.0.1
- OpenStack Keystone 27.0.0
- OpenStack Keystone 28.0.0
All deployments exposing the /v3/ec2tokens or /v3/s3tokens endpoints and using EC2 credentials are at risk. This includes configurations where presigned URLs are generated for S3 compatible storage or registry integrations.
Vendor Security History
OpenStack Keystone has previously experienced similar issues. Notably, CVE-2020-12692 involved signature TTL validation weaknesses in the EC2 API, allowing attackers to reuse authorization headers. The OpenStack project maintains an active security response process, with coordinated advisories and patches across supported versions. However, recurring problems in external authentication handling indicate ongoing complexity and risk in these components.
