CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-25199 – Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access
https://notcve.org/view.php?id=CVE-2026-25199
08 May 2026 — Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to r... • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2026-25077 – Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates
https://notcve.org/view.php?id=CVE-2026-25077
08 May 2026 — Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache Clou... • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-69233 – Apache CloudStack: Domain/account resources limits not honored
https://notcve.org/view.php?id=CVE-2025-69233
08 May 2026 — Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-66467 – Apache CloudStack: MinIO policy remains intact on bucket deletion
https://notcve.org/view.php?id=CVE-2025-66467
08 May 2026 — Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-459: Incomplete Cleanup •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66172 – Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
https://notcve.org/view.php?id=CVE-2025-66172
08 May 2026 — The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66171 – Apache CloudStack: Any user can create a new VM from backups they should not have access to
https://notcve.org/view.php?id=CVE-2025-66171
08 May 2026 — The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66170 – Apache CloudStack: Any user can list backups that they should not have access to
https://notcve.org/view.php?id=CVE-2025-66170
08 May 2026 — The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup. Users are recommended to upgrade to version 4.22.0.1, which fixes the issue. • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-863: Incorrect Authorization •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-59302 – Apache CloudStack: Potential remote code execution on Javascript engine defined rules
https://notcve.org/view.php?id=CVE-2025-59302
27 Nov 2025 — In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global config... • https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-59454 – Apache CloudStack: Lack of user permission validation leading to data leak for few APIs
https://notcve.org/view.php?id=CVE-2025-59454
27 Nov 2025 — In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue. In Apache CloudStack, a gap in access control... • https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30675 – Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins
https://notcve.org/view.php?id=CVE-2025-30675
10 Jun 2025 — In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boun... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •