SB2026051261 - Multiple vulnerabilities in Apache CloudStack
Published: May 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Improper Authorization (CVE-ID: CVE-2025-66170)
The vulnerability allows a remote user to list backups from other accounts.
The vulnerability exists due to improper authorization in the CloudStack Backup plugin when handling backup listing API requests. A remote user can call specific APIs to list backups from any account in the environment to list backups from other accounts.
The issue does not expose the contents of the backups, and exploitation requires the backup plugin to be enabled.
2) Improper access control (CVE-ID: CVE-2025-66171)
The vulnerability allows a remote user to create virtual machines from backups belonging to other accounts.
The vulnerability exists due to improper access control in the CloudStack Backup plugin when handling backup restore API requests. A remote user can call specific APIs to create new virtual machines using backups of other users to create virtual machines from backups belonging to other accounts.
Exploitation requires the backup plugin to be enabled.
3) Improper access control (CVE-ID: CVE-2025-66172)
The vulnerability allows a remote user to attach volumes restored from other users' backups to their own virtual machines.
The vulnerability exists due to improper access control in the CloudStack Backup plugin when handling volume restore operations from backups. A remote user can call specific APIs to restore a volume from another user's backup and attach it to their own virtual machines to attach volumes restored from other users' backups to their own virtual machines.
Exploitation requires the backup plugin to be enabled.
4) Improper access control (CVE-ID: CVE-2025-66467)
The vulnerability allows a remote user to gain unauthorized read and write access to another user's bucket.
The vulnerability exists due to improper access control in MinIO policy cleanup on bucket deletion when a bucket is deleted and later recreated with the same name. A remote user can reuse previously generated access and secret keys to gain unauthorized read and write access to another user's bucket.
Exploitation requires another user to create a new bucket with the same name as a previously deleted bucket.
5) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2025-69233)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to time-of-check time-of-use race conditions in the resource count check and increment logic when allocating account or domain resources. A remote user can trigger concurrent resource allocation operations to cause a denial of service.
Missing validations also contribute to the issue by allowing configured allocation limits to be exceeded.
6) Command injection (CVE-ID: CVE-2026-25077)
The vulnerability allows a remote user to execute arbitrary code on KVM hosts.
The vulnerability exists due to command injection in direct download template handling when processing template file names for templates downloaded to primary storage. A remote user can register a malicious template to execute arbitrary code on KVM hosts.
By default, account users are allowed to register templates for direct download for deployments using the KVM hypervisor.
7) Improper access control (CVE-ID: CVE-2026-25199)
The vulnerability allows a remote user to gain full control over another account's virtual machine.
The vulnerability exists due to improper access control in the Proxmox extension when using the user-editable proxmox_vmid instance setting to associate CloudStack instances with Proxmox virtual machines. A remote user can modify the setting to reference a virtual machine belonging to another account to gain full control over another account's virtual machine.
Proxmox VM IDs are predictable, which helps exploitation.
Remediation
Install update from vendor's website.