Skip to main content

Apache CloudStack CVE-2025-66171

| EUVD-2025-209741 MEDIUM
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2026-05-08 apache GHSA-5f56-5m8x-gjf9
Information Disclosure
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 19:24 vuln.today
CVSS changed
May 08, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
May 08, 2026 - 12:11 nvd
MEDIUM 6.5
CVE Published
May 08, 2026 - 12:11 nvd
UNKNOWN (no severity yet)

DescriptionNVD

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

AnalysisAI

Improper access control in the CloudStack Backup plugin allows authenticated users in CloudStack 4.21.0.0 through 4.22.0.0 to create new virtual machines using backups belonging to other users, enabling unauthorized data access and VM provisioning. The vulnerability requires valid CloudStack credentials and access to specific backup-related APIs but carries elevated risk in multi-tenant environments. Vendor-released patch available in CloudStack 4.22.0.1.

Technical ContextAI

CloudStack is an open-source Infrastructure-as-a-Service (IaaS) platform managing virtual machine lifecycles, storage, and networking. The Backup plugin extends this functionality by enabling VM state snapshots and recovery. The vulnerability stems from insufficient authorization checks (CWE-359: Improper Restriction of Rendered UI Layers or Frames) in the backup restoration logic, where the plugin fails to validate that the requesting user owns or has explicit permission to access backup artifacts before allowing VM instantiation from those backups. This is a privilege escalation within the authenticated user context - the plugin accepts API calls to restore backups without properly scoping them to the calling user's tenant or ownership domain. The affected CPE range (apache_software_foundation:apache_cloudstack:*) spans versions 4.21.0.0 through 4.22.0.0, with 4.22.0.1 providing the remediation.

RemediationAI

Upgrade CloudStack to version 4.22.0.1 or later, which includes the authorization logic fix for the Backup plugin. If immediate upgrade is not feasible, disable the Backup plugin in the CloudStack management console (Administration → Plugins → Backup) to prevent exploitation, though this eliminates backup-based VM recovery functionality. As a temporary compensating control, restrict API access to backup-related endpoints (e.g., /api/backup/*) to specific service accounts or administrative roles only, and audit recent backup-to-VM creation events for unauthorized activity. See vendor advisory at https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm for detailed patch application steps. Disabling the plugin may impact disaster recovery procedures, so coordinate with business continuity teams before implementation.

Share

CVE-2025-66171 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy