oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-66171: Apache CloudStack: Any user can create a new VM from backups they should not have access to

From: "Piotr P. Karwasz" <pkarwasz () apache org>
Date: Fri, 8 May 2026 14:10:31 +0200
Severity: important

Affected versions:

- Apache CloudStack 4.21.0.0 through 4.22.0.0

Description:

The CloudStack Backup plugin has an improper access logic in versions
4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in
CloudStack 4.21.0.0+ environments, where this plugin is enabled and have
access to specific APIs can create new VMs using backups of any other
user of the environment.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to
upgrade to CloudStack version 4.22.0.1, which fixes this issue.

Credit:

Fabricio Duarte <fabricio.duarte.jr () gmail com> (reporter)
Gabriel Ortiga Fernandes <gabriel.ortiga () hotmail com> (reporter)
Gabriel Pordeus Santos <gabrielpordeus () gmail com> (reporter)

References:

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66171
Previous By Date Next
Previous By Thread Next

Current thread: