Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3316efb8-7087-4730-b42b-5a1e9de09128@apache.org>
Date: Fri, 8 May 2026 14:10:31 +0200
From: "Piotr P. Karwasz" <pkarwasz@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66171: Apache CloudStack: Any user can create a new VM from
 backups they should not have access to

Severity: important

Affected versions:

- Apache CloudStack 4.21.0.0 through 4.22.0.0

Description:

The CloudStack Backup plugin has an improper access logic in versions
4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in
CloudStack 4.21.0.0+ environments, where this plugin is enabled and have
access to specific APIs can create new VMs using backups of any other
user of the environment.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to
upgrade to CloudStack version 4.22.0.1, which fixes this issue.

Credit:

Fabricio Duarte <fabricio.duarte.jr@...il.com> (reporter)
Gabriel Ortiga Fernandes <gabriel.ortiga@...mail.com> (reporter)
Gabriel Pordeus Santos <gabrielpordeus@...il.com> (reporter)

References:

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66171

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.