LDAP disabled-user auth bypass fixed in OpenStack Keystone

TL;DR — OpenStack Keystone’s LDAP identity backend can mis-handle the “enabled/disabled” LDAP attribute, allowing LDAP-disabled users to authenticate and operate as if enabled.

What happened

OpenStack Keystone is the Identity service used to authenticate users and issue tokens for OpenStack APIs, often backed by enterprise LDAP directories.

CVE-2026-40683 describes a logic bug in Keystone’s LDAP identity backend when user_enabled_invert is set to False (the default): Keystone fails to convert the LDAP “enabled” attribute to a boolean and instead uses the raw LDAP string (e.g., "FALSE"). In Python, non-empty strings are truthy, so users marked as disabled in LDAP can be treated as enabled, allowing them to authenticate and perform actions.

Why this matters: identity backends are a shared control plane dependency—when the “disabled user” contract is broken, offboarding and incident containment procedures (disable in LDAP) stop being reliable across the cloud.

Who is impacted

• OpenStack deployments using Keystone’s LDAP identity backend.
• Specifically, deployments without user_enabled_invert=True and without user_enabled_emulation configured.

What to do now

• Follow vendor remediation guidance and apply a Keystone release that includes the fix for CVE-2026-40683.
• Use the affected/patched ranges above to scope upgrades across your fleet (control plane nodes, containers/images, and any pinned distro packages).
• If you cannot patch immediately, the OpenStack OSSA write-up referenced by the CVE lists a workaround:

  "To work around this vulnerability, set user_enabled_invert=True ... or use user_enabled_emulation"

• Treat this as an identity-control failure: if you have relied on “disable in LDAP” as an emergency response lever, validate (in staging, then prod) that disabled users can no longer obtain tokens after mitigation, and audit for any unexpected logins by supposedly-disabled LDAP accounts.