Skip to main content

Iaas Api

1 CVEs product

Monthly

CVE-2026-39910 CRITICAL PATCH HOSTED Monitor

Privilege escalation in STACKIT IaaS API allows authenticated low-privileged users to compromise entire organization environments by attaching arbitrary high-privileged service accounts to attacker-controlled virtual machines. The flaw stems from a missing authorization check on the PUT servers service-accounts endpoint, letting attackers query the Instance Metadata Service for OAuth2 tokens and cross tenant boundaries. With a CVSS 4.0 score of 9.3 and the CVSS vector indicating network-reachable, low-complexity exploitation, this represents a severe cloud tenant-isolation failure, though no public exploit identified at time of analysis.

Authentication Bypass Iaas Api
NVD
CVSS 4.0
9.3
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL PATCH HOSTED Monitor

Privilege escalation in STACKIT IaaS API allows authenticated low-privileged users to compromise entire organization environments by attaching arbitrary high-privileged service accounts to attacker-controlled virtual machines. The flaw stems from a missing authorization check on the PUT servers service-accounts endpoint, letting attackers query the Instance Metadata Service for OAuth2 tokens and cross tenant boundaries. With a CVSS 4.0 score of 9.3 and the CVSS vector indicating network-reachable, low-complexity exploitation, this represents a severe cloud tenant-isolation failure, though no public exploit identified at time of analysis.

Authentication Bypass Iaas Api
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy