Skip to main content

Apache CloudStack CVE-2026-25199

| EUVDEUVD-2026-28550 CRITICAL
Information Exposure (CWE-200)
2026-05-08 apache GHSA-whfq-93mc-cv6g
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 18:22 vuln.today
CVSS changed
May 08, 2026 - 18:22 NVD
9.1 (CRITICAL)
CVE Published
May 08, 2026 - 12:22 nvd
CRITICAL 9.1
CVE Published
May 08, 2026 - 12:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.

This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.

The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.

Users are recommended to upgrade to version 4.22.0.1, which fixes this issue.

As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.

AnalysisAI

Unauthorized cross-tenant access in Apache CloudStack 4.21.0 through 4.22.0 allows remote unauthenticated attackers to gain full control over virtual machines belonging to other tenants via the Proxmox extension. Attackers exploit a user-editable 'proxmox_vmid' setting that lacks tenant ownership validation and predictable VM IDs to reference and control VMs across tenant boundaries, enabling VM start/stop/destroy operations. CVSS 9.1 indicates critical severity with network attack vector and no authentication required, though EPSS data and KEV status are not available to confirm active exploitation patterns.

Technical ContextAI

Apache CloudStack (CPE: cpe:2.3:a:apache_software_foundation:apache_cloudstack) is an open-source Infrastructure-as-a-Service platform for managing cloud computing environments. The Proxmox extension enables CloudStack integration with Proxmox Virtual Environment hypervisors. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), manifesting as an Insecure Direct Object Reference (IDOR) flaw. The extension uses a customer-controlled parameter 'proxmox_vmid' to map CloudStack instances to underlying Proxmox VMs without server-side validation of tenant ownership. Proxmox VM IDs follow a predictable numeric sequence, creating an enumeration vulnerability. This architectural flaw bypasses CloudStack's multi-tenancy isolation model by allowing direct manipulation of the hypervisor-level object reference through the management API.

RemediationAI

Upgrade Apache CloudStack to version 4.22.0.1 or later, which implements proper tenant ownership validation for the proxmox_vmid parameter as documented in the Apache mailing list advisory (https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm). For environments unable to immediately upgrade, implement the vendor-provided workaround by adding 'proxmox_vmid' to the global configuration parameter 'user.vm.denied.details', which prevents non-administrative users from editing this instance detail. This workaround preserves functionality for legitimate CloudStack operations while blocking user-initiated VMID manipulation. Note that the workaround does not retroactively audit or fix existing instances with attacker-modified proxmox_vmid values - administrators should audit VM associations post-mitigation using Proxmox and CloudStack logs to identify potential unauthorized access. The workaround may require administrative intervention for legitimate VM management operations that previously allowed user self-service VMID changes.

Share

CVE-2026-25199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy