CVE-2026-39910
CRITICALSTACKIT IaaS API Privilege Escalation via Service Account Attachment
Title source: cnaDescription
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
References (2)
Core 2
Core References
Release Notes release-notes
https://status.stackit.cloud
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/stackit-iaas-api-privilege-escalation-via-service-account-attachment
Scores
CVSS v3
9.8
EPSS
0.0030
EPSS Percentile
21.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (1)
STACKIT/IaaS API
< 2026-05-28
Published
Jun 08, 2026
Tracked Since
Jun 08, 2026