Skip to main content

STACKIT IaaS API EUVDEUVD-2026-35128

| CVE-2026-39910 CRITICAL
Missing Authorization (CWE-862)
2026-06-08 VulnCheck GHSA-p35h-r99r-9fcm
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
Jun 08, 2026 - 18:01 EUVD
Analysis Updated
Jun 08, 2026 - 17:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 17:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 08, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 17:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 08, 2026 - 17:20 vuln.today

DescriptionCVE.org

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

AnalysisAI

Privilege escalation in STACKIT IaaS API allows authenticated low-privileged users to compromise entire organization environments by attaching arbitrary high-privileged service accounts to attacker-controlled virtual machines. The flaw stems from a missing authorization check on the PUT servers service-accounts endpoint, letting attackers query the Instance Metadata Service for OAuth2 tokens and cross tenant boundaries. With a CVSS 4.0 score of 9.3 and the CVSS vector indicating network-reachable, low-complexity exploitation, this represents a severe cloud tenant-isolation failure, though no public exploit identified at time of analysis.

Technical ContextAI

STACKIT IaaS API is the infrastructure-as-a-service control plane operated by STACKIT (Schwarz Group's cloud platform) used to provision and manage virtual machines, service accounts, and related cloud resources for tenants. The root cause is CWE-862 (Missing Authorization): the PUT endpoint that attaches a service account to a server fails to validate that the requesting principal is permitted to use the target service account, allowing arbitrary cross-tenant service account assignment. Once a privileged service account is attached, the standard cloud Instance Metadata Service (IMDS) endpoint inside the VM returns OAuth2 access tokens scoped to that service account, which the attacker then replays against STACKIT APIs to act with the borrowed identity's permissions - the same token-theft pattern seen historically in cloud IMDS abuse (e.g., SSRF-to-IMDS) but here reached via an authorization bug rather than SSRF.

RemediationAI

Because STACKIT IaaS API is a managed cloud service, the primary fix is a server-side authorization check deployed by STACKIT itself - customers cannot patch the endpoint directly; monitor https://status.stackit.cloud and the VulnCheck advisory at https://www.vulncheck.com/advisories/stackit-iaas-api-privilege-escalation-via-service-account-attachment for confirmation that the missing authorization check has been deployed. As compensating controls until confirmation, audit existing virtual machines for unexpected attached service accounts and detach any that were not explicitly provisioned (trade-off: detaching legitimate accounts will break workloads that depend on IMDS tokens), apply least-privilege scoping to all organization service accounts so that even if one is borrowed the blast radius is limited (trade-off: requires re-evaluating IAM bindings and may break automation), rotate any service account credentials that may have been exposed via IMDS to invalidate stolen OAuth2 tokens, and tighten organization IAM so that low-privileged tenant users cannot create or modify servers (trade-off: reduces self-service capability for developers). No vendor-released patched version identifier is available in the supplied data - patch status is best characterized as 'patch available per vendor advisory' pending the status page update.

Share

EUVD-2026-35128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy