Description

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.

INFO

Published Date :

2026-04-14T20:05:03.274Z

Last Modified :

2026-04-14T20:14:44.539Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40683 vulnerability.

Vendors Products
Openstack
  • Keystone
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40683.

URL Resource
https://bugs.launchpad.net/keystone/+bug/2121152 cve-icon cve-icon cve-icon
https://bugs.launchpad.net/keystone/+bug/2141713 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-40683 cve-icon
https://review.opendev.org/958205 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-40683 cve-icon
https://www.openwall.com/lists/oss-security/2026/04/14/9 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact