Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.
This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.
The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.
Users are recommended to upgrade to version 4.22.0.1, which fixes this issue.
As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.
AnalysisAI
Unauthorized cross-tenant access in Apache CloudStack 4.21.0 through 4.22.0 allows remote unauthenticated attackers to gain full control over virtual machines belonging to other tenants via the Proxmox extension. Attackers exploit a user-editable 'proxmox_vmid' setting that lacks tenant ownership validation and predictable VM IDs to reference and control VMs across tenant boundaries, enabling VM start/stop/destroy operations. CVSS 9.1 indicates critical severity with network attack vector and no authentication required, though EPSS data and KEV status are not available to confirm active exploitation patterns.
Technical ContextAI
Apache CloudStack (CPE: cpe:2.3:a:apache_software_foundation:apache_cloudstack) is an open-source Infrastructure-as-a-Service platform for managing cloud computing environments. The Proxmox extension enables CloudStack integration with Proxmox Virtual Environment hypervisors. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), manifesting as an Insecure Direct Object Reference (IDOR) flaw. The extension uses a customer-controlled parameter 'proxmox_vmid' to map CloudStack instances to underlying Proxmox VMs without server-side validation of tenant ownership. Proxmox VM IDs follow a predictable numeric sequence, creating an enumeration vulnerability. This architectural flaw bypasses CloudStack's multi-tenancy isolation model by allowing direct manipulation of the hypervisor-level object reference through the management API.
RemediationAI
Upgrade Apache CloudStack to version 4.22.0.1 or later, which implements proper tenant ownership validation for the proxmox_vmid parameter as documented in the Apache mailing list advisory (https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm). For environments unable to immediately upgrade, implement the vendor-provided workaround by adding 'proxmox_vmid' to the global configuration parameter 'user.vm.denied.details', which prevents non-administrative users from editing this instance detail. This workaround preserves functionality for legitimate CloudStack operations while blocking user-initiated VMID manipulation. Note that the workaround does not retroactively audit or fix existing instances with attacker-modified proxmox_vmid values - administrators should audit VM associations post-mitigation using Proxmox and CloudStack logs to identify potential unauthorized access. The workaround may require administrative intervention for legitimate VM management operations that previously allowed user self-service VMID changes.
Same weakness CWE-200 – Information Exposure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28550
GHSA-whfq-93mc-cv6g