Main Vulnerability Database Vulnerabilities #VU131150

Improper Authorization in Apache CloudStack - CVE-2025-66170

Published: May 12, 2026

Vulnerability identifier: #VU131150

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66170

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache CloudStack

Detailed vulnerability description

The vulnerability allows a remote user to list backups from other accounts.

The vulnerability exists due to improper authorization in the CloudStack Backup plugin when handling backup listing API requests. A remote user can call specific APIs to list backups from any account in the environment to list backups from other accounts.

The issue does not expose the contents of the backups, and exploitation requires the backup plugin to be enabled.

How to mitigate CVE-2025-66170

Install security update from vendor's website.

Sources

https://lists.apache.org/api/email.lua?id=cmqh2klgxm2m9982x0sh9l4j0b5ol96y

Improper Authorization in Apache CloudStack - CVE-2025-66170

Detailed vulnerability description

How to mitigate CVE-2025-66170

Sources

Please verify you're human