Skip to main content

Apache CloudStack CVE-2026-25199

| EUVD-2026-28550 CRITICAL
Information Exposure (CWE-200)
2026-05-08 apache GHSA-whfq-93mc-cv6g
Authentication Bypass Apache Information Disclosure
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 18:22 vuln.today
CVSS changed
May 08, 2026 - 18:22 NVD
9.1 (CRITICAL)
CVE Published
May 08, 2026 - 12:22 nvd
CRITICAL 9.1
CVE Published
May 08, 2026 - 12:22 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.

This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.

The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.

Users are recommended to upgrade to version 4.22.0.1, which fixes this issue.

As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.

AnalysisAI

Unauthorized cross-tenant access in Apache CloudStack 4.21.0 through 4.22.0 allows remote unauthenticated attackers to gain full control over virtual machines belonging to other tenants via the Proxmox extension. Attackers exploit a user-editable 'proxmox_vmid' setting that lacks tenant ownership validation and predictable VM IDs to reference and control VMs across tenant boundaries, enabling VM start/stop/destroy operations. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all CloudStack deployments running versions 4.21.0-4.22.0 with Proxmox extension enabled; isolate affected clusters from external network access if possible. Within 7 days: implement network-level access controls restricting CloudStack API access to trusted administrative networks only; disable Proxmox extension functionality until patched. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2025-48977 HIGH
8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
CVE-2026-42782 HIGH
7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
CVE-2026-43827 MEDIUM
5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM
5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
CVE-2026-44598 MEDIUM
5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

Share

CVE-2026-25199 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy