Main Vulnerability Database Vulnerabilities #VU131152

Improper access control in Apache CloudStack - CVE-2025-66172

Published: May 12, 2026

Vulnerability identifier: #VU131152

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66172

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache CloudStack

Detailed vulnerability description

The vulnerability allows a remote user to attach volumes restored from other users' backups to their own virtual machines.

The vulnerability exists due to improper access control in the CloudStack Backup plugin when handling volume restore operations from backups. A remote user can call specific APIs to restore a volume from another user's backup and attach it to their own virtual machines to attach volumes restored from other users' backups to their own virtual machines.

Exploitation requires the backup plugin to be enabled.

How to mitigate CVE-2025-66172

Install security update from vendor's website.

Sources

https://lists.apache.org/api/email.lua?id=cmqh2klgxm2m9982x0sh9l4j0b5ol96y

Improper access control in Apache CloudStack - CVE-2025-66172

Detailed vulnerability description

How to mitigate CVE-2025-66172

Sources

Please verify you're human