CVE-2025-66467

HIGH

Apache CloudStack: MinIO policy remains intact on bucket deletion

Title source: cna

Description

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/09/4

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Scores

CVSS v3 8.0

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-459

Status published

Products (3)

apache/cloudstack 4.19.0.0 - 4.20.3.0

Apache Software Foundation/Apache CloudStack 4.19.0.0 - 4.20.2.0

Apache Software Foundation/Apache CloudStack 4.21.0.0 - 4.22.0.0

Published May 08, 2026

Tracked Since May 08, 2026