Detections
Analytics

Linux Distros Unpatched Vulnerability : CVE-2026-40683

high Nessus Plugin ID 306543

Synopsis

The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be patched.

Description

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

 - In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The
 _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., FALSE) was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected. (CVE-2026-40683)

Note that Nessus relies on the presence of the package as reported by the vendor.

Solution

There is no known solution at this time.

See Also

https://security-tracker.debian.org/tracker/CVE-2026-40683

Plugin Details

Severity: High

ID: 306543

File Name: unpatched_CVE_2026_40683.nasl

Version: 1.1

Type: Local

Agent: unix

Family: Misc.

Published: 4/15/2026

Updated: 4/15/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-40683

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:U/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:14.0, cpe:/o:debian:debian_linux:11.0, cpe:/o:debian:debian_linux:13.0, p-cpe:/a:debian:debian_linux:keystone, cpe:/o:debian:debian_linux:12.0

Required KB Items: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched, Host/OS/identifier

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-40683