Skip to main content

Apache CloudStack EUVDEUVD-2025-209740

| CVE-2025-66170 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-08 apache GHSA-7p28-jcmx-86m5
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 19:24 vuln.today
CVSS changed
May 08, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
May 08, 2026 - 12:06 nvd
MEDIUM 6.5
CVE Published
May 08, 2026 - 12:06 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.

Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.

AnalysisAI

Improper authorization logic in the CloudStack Backup plugin allows authenticated users to enumerate backups from any account in the environment across versions 4.21.0.0 through 4.22.0.0. An attacker with valid user credentials can exploit this to gain unauthorized visibility into backup metadata and existence across all accounts, though backup contents remain protected. The vulnerability requires the Backup plugin to be enabled and affects multi-tenant CloudStack environments where account isolation is a critical security boundary.

Technical ContextAI

The CloudStack Backup plugin implements API endpoints for backup management that fail to properly enforce account-level access controls. The vulnerability stems from CWE-863 (Incorrect Authorization), where API calls that should be scoped to the requesting user's account are instead returning results from all accounts in the system. This is a classic horizontal privilege escalation in multi-tenant architectures where API authorization checks rely on implicit trust rather than explicit account ownership validation. The affected versions include CloudStack 4.21.0.0 and 4.22.0.0, with the plugin enabled as a deployable component that extends core CloudStack functionality.

RemediationAI

Upgrade to Apache CloudStack version 4.22.0.1 or later, which includes the authorization logic fix for the Backup plugin. If immediate upgrading is not feasible, restrict access to Backup plugin APIs by implementing network-level access controls: limit authenticated users' ability to call backup-related endpoints to only those who require operational access, such as CloudStack administrators or designated backup operators. Document which API endpoints are affected and audit past access logs to identify any unauthorized cross-account backup enumeration. CloudStack environments using the Backup plugin should prioritize this update given that any authenticated user can trigger the vulnerability - consider disabling the plugin entirely if cross-account backup visibility is not an operational requirement, accepting any loss of backup plugin functionality.

Share

EUVD-2025-209740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy