Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.
Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.
AnalysisAI
Improper authorization logic in the CloudStack Backup plugin allows authenticated users to enumerate backups from any account in the environment across versions 4.21.0.0 through 4.22.0.0. An attacker with valid user credentials can exploit this to gain unauthorized visibility into backup metadata and existence across all accounts, though backup contents remain protected. The vulnerability requires the Backup plugin to be enabled and affects multi-tenant CloudStack environments where account isolation is a critical security boundary.
Technical ContextAI
The CloudStack Backup plugin implements API endpoints for backup management that fail to properly enforce account-level access controls. The vulnerability stems from CWE-863 (Incorrect Authorization), where API calls that should be scoped to the requesting user's account are instead returning results from all accounts in the system. This is a classic horizontal privilege escalation in multi-tenant architectures where API authorization checks rely on implicit trust rather than explicit account ownership validation. The affected versions include CloudStack 4.21.0.0 and 4.22.0.0, with the plugin enabled as a deployable component that extends core CloudStack functionality.
RemediationAI
Upgrade to Apache CloudStack version 4.22.0.1 or later, which includes the authorization logic fix for the Backup plugin. If immediate upgrading is not feasible, restrict access to Backup plugin APIs by implementing network-level access controls: limit authenticated users' ability to call backup-related endpoints to only those who require operational access, such as CloudStack administrators or designated backup operators. Document which API endpoints are affected and audit past access logs to identify any unauthorized cross-account backup enumeration. CloudStack environments using the Backup plugin should prioritize this update given that any authenticated user can trigger the vulnerability - consider disabling the plugin entirely if cross-account backup visibility is not an operational requirement, accepting any loss of backup plugin functionality.
More in Apache Cloudstack
View allAuthenticated CloudStack users can hijack volumes from other tenants' backups via the Backup plugin in versions 4.21.0.0
Improper access control in the CloudStack Backup plugin allows authenticated users in CloudStack 4.21.0.0 through 4.22.0
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209740
GHSA-7p28-jcmx-86m5