Main Vulnerability Database Vulnerabilities #VU131151

Improper access control in Apache CloudStack - CVE-2025-66171

Published: May 12, 2026

Vulnerability identifier: #VU131151

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66171

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache CloudStack

Detailed vulnerability description

The vulnerability allows a remote user to create virtual machines from backups belonging to other accounts.

The vulnerability exists due to improper access control in the CloudStack Backup plugin when handling backup restore API requests. A remote user can call specific APIs to create new virtual machines using backups of other users to create virtual machines from backups belonging to other accounts.

Exploitation requires the backup plugin to be enabled.

How to mitigate CVE-2025-66171

Install security update from vendor's website.

Sources

https://lists.apache.org/api/email.lua?id=cmqh2klgxm2m9982x0sh9l4j0b5ol96y

Improper access control in Apache CloudStack - CVE-2025-66171

Detailed vulnerability description

How to mitigate CVE-2025-66171

Sources

Please verify you're human