CVE-2025-66172

HIGH

Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to

Title source: cna

Description

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/09/3

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Scores

CVSS v3 8.1

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-359

Status published

Products (2)

apache/cloudstack 4.21.0.0 - 4.22.0.1

Apache Software Foundation/Apache CloudStack 4.21.0.0 - 4.22.0.0

Published May 08, 2026

Tracked Since May 08, 2026