Skip to main content

Apache Cloudstack

3 CVEs product

Monthly

CVE-2025-66172 HIGH This Week

Authenticated CloudStack users can hijack volumes from other tenants' backups via the Backup plugin in versions 4.21.0.0 and 4.22.0.0. Attackers with low-privileged authenticated access can restore any user's backup volume and attach it to their own VMs, enabling complete data theft across tenant boundaries in multi-tenant environments. CVSS 8.1 reflects high confidentiality and integrity impact with low attack complexity. EPSS score of 0.01% indicates minimal observed exploitation activity, while SSVC assessment confirms non-automatable, partial technical impact with no known exploitation. Apache released patch version 4.22.0.1 addressing the access control flaw.

Information Disclosure Apache Cloudstack
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-66171 MEDIUM This Month

Improper access control in the CloudStack Backup plugin allows authenticated users in CloudStack 4.21.0.0 through 4.22.0.0 to create new virtual machines using backups belonging to other users, enabling unauthorized data access and VM provisioning. The vulnerability requires valid CloudStack credentials and access to specific backup-related APIs but carries elevated risk in multi-tenant environments. Vendor-released patch available in CloudStack 4.22.0.1.

Information Disclosure Apache Cloudstack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66170 MEDIUM This Month

Improper authorization logic in the CloudStack Backup plugin allows authenticated users to enumerate backups from any account in the environment across versions 4.21.0.0 through 4.22.0.0. An attacker with valid user credentials can exploit this to gain unauthorized visibility into backup metadata and existence across all accounts, though backup contents remain protected. The vulnerability requires the Backup plugin to be enabled and affects multi-tenant CloudStack environments where account isolation is a critical security boundary.

Authentication Bypass Apache Cloudstack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated CloudStack users can hijack volumes from other tenants' backups via the Backup plugin in versions 4.21.0.0 and 4.22.0.0. Attackers with low-privileged authenticated access can restore any user's backup volume and attach it to their own VMs, enabling complete data theft across tenant boundaries in multi-tenant environments. CVSS 8.1 reflects high confidentiality and integrity impact with low attack complexity. EPSS score of 0.01% indicates minimal observed exploitation activity, while SSVC assessment confirms non-automatable, partial technical impact with no known exploitation. Apache released patch version 4.22.0.1 addressing the access control flaw.

Information Disclosure Apache Cloudstack
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper access control in the CloudStack Backup plugin allows authenticated users in CloudStack 4.21.0.0 through 4.22.0.0 to create new virtual machines using backups belonging to other users, enabling unauthorized data access and VM provisioning. The vulnerability requires valid CloudStack credentials and access to specific backup-related APIs but carries elevated risk in multi-tenant environments. Vendor-released patch available in CloudStack 4.22.0.1.

Information Disclosure Apache Cloudstack
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper authorization logic in the CloudStack Backup plugin allows authenticated users to enumerate backups from any account in the environment across versions 4.21.0.0 through 4.22.0.0. An attacker with valid user credentials can exploit this to gain unauthorized visibility into backup metadata and existence across all accounts, though backup contents remain protected. The vulnerability requires the Backup plugin to be enabled and affects multi-tenant CloudStack environments where account isolation is a critical security boundary.

Authentication Bypass Apache Cloudstack
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy