The Apache CloudStack project has released two emergency LTS security updates, versions 4.20.3.0 and 4.22.0.1, addressing seven CVEs ranging from Moderate to Important severity, including a command injection flaw that could allow attackers to execute arbitrary code on KVM hypervisor hosts.
Organizations that rely on CloudStack for cloud infrastructure management should patch immediately, as several vulnerabilities allow authenticated users to access or manipulate resources outside their authorized scope.
Apache CloudStack is a widely deployed open-source Infrastructure-as-a-Service (IaaS) platform used by cloud service providers, enterprises, and data centers to manage large pools of compute, networking, and storage resources.
Apache CloudStack Patches 7 Flaws
Its broad deployment footprint makes these vulnerabilities especially critical, as a single misconfigured or unpatched deployment could expose multi-tenant infrastructure to cross-tenant compromise, data loss, and denial-of-service attacks.
The security advisory, published on May 8, 2026, by Apache CloudStack Project Management Committee member Daan Hoogland, details the following CVEs:
CVE-2026-25077 – Unauthenticated Command Injection
This is the most critical flaw in this batch. By default, CloudStack allows account users to register templates for direct download to primary storage for KVM hypervisor deployments.
Due to missing file name sanitization, an attacker can register a malicious template that executes arbitrary code on KVM hosts. This can result in the full compromise of resource integrity and confidentiality, data loss, denial-of-service attacks, and the destruction of KVM-based infrastructure. Affected versions span a wide range: Apache CloudStack 4.11.0 through 4.22.0.0.
CVE-2025-66171 – Any User Can Create VMs from Another User’s Backups
An improper access-control flaw in the CloudStack Backup plugin allows any authenticated user in environments where the Backup plugin is enabled to create new virtual machines from backups belonging to other users. This cross-account VM provisioning capability poses a significant risk to data confidentiality in multi-tenant cloud environments. Affected versions: 4.21.0.0 through 4.22.0.0.
CVE-2025-66172 – Volume Attachment Abuse Across Accounts
A companion flaw to CVE-2025-66171, this vulnerability in the same Backup plugin allows authenticated users to restore a volume from another user’s backup and attach it directly to their own VMs, effectively granting unauthorized read and write access to another tenant’s data. Affected versions: 4.21.0.0 through 4.22.0.0.
CVE-2025-66467 – MinIO Policy Persists After Bucket Deletion
A missing cleanup routine in CloudStack’s MinIO integration allows residual bucket access policies to persist after bucket deletion. If another user subsequently creates a new bucket with the same name, the previous owner’s access and secret keys remain functional, granting unauthorized read and write access to the new bucket. This affects a wide range of deployments: Apache CloudStack 4.19.0.0 through 4.22.0.0.
CVE-2026-25199 – Proxmox Extension Enables Cross-Tenant VM Takeover
The Proxmox extension for CloudStack uses a user-editable instance setting, proxmox_vmid, to link CloudStack instances to Proxmox VMs. Because this value is neither restricted nor validated against tenant ownership and Proxmox VM IDs are predictable integers a non-privileged attacker can modify this setting to point to a VM in another account. This enables full control over the targeted VM, including starting, stopping, and destroying it. A workaround exists: administrators can prevent users from editing the proxmox_vmid detail by adding it to the global configuration parameter user.vm.denied.details. Affected versions: 4.21.0.0 through 4.22.0.0.
CVE-2025-69233 – Race Condition Bypasses Resource Allocation Limits
Multiple time-of-check time-of-use (TOCTOU) race conditions in CloudStack’s resource count validation and increment logic allow users to exceed configured allocation limits for their accounts and domains. An attacker can exploit this to over-provision infrastructure resources, potentially degrading service performance and leading to denial-of-service conditions. This flaw has been present since version 4.0.0.
CVE-2025-66170 – Unauthorized Backup Listing Across Accounts
The CloudStack Backup plugin allows any authenticated user to enumerate all backups within the environment, including those belonging to other users, when the plugin is enabled, and the user has access to the relevant API. While this does not expose backup contents, metadata exposure enables reconnaissance for subsequent attacks such as CVE-2025-66171 and CVE-2025-66172. Affected versions: 4.21.0.0 through 4.22.0.0.
Affected Versions and Mitigation
The vulnerabilities span multiple CloudStack versions, depending on the CVE. Administrators should refer to the table below to identify their exposure and apply the appropriate patch:
| CVE ID | Severity | Affected Versions | Fix Version |
|---|---|---|---|
| CVE-2026-25077 | Important | 4.11.0 – 4.22.0.0 | 4.20.3.0 / 4.22.0.1 |
| CVE-2025-66171 | Important | 4.21.0.0 – 4.22.0.0 | 4.22.0.1 |
| CVE-2025-66172 | Important | 4.21.0.0 – 4.22.0.0 | 4.22.0.1 |
| CVE-2025-66467 | Important | 4.19.0.0 – 4.22.0.0 | 4.20.3.0 / 4.22.0.1 |
| CVE-2026-25199 | Moderate | 4.21.0.0 – 4.22.0.0 | 4.22.0.1 |
| CVE-2025-69233 | Moderate | 4.0.0 – 4.22.0.0 | 4.20.3.0 / 4.22.0.1 |
| CVE-2025-66170 | Low | 4.21.0.0 – 4.22.0.0 | 4.22.0.1 |
We recommend upgrading to version 4.22.0.1 or 4.20.3.0 immediately. Official source packages are available at cloudstack.apache.org/downloads, with pre-built packages available for RHEL 8/9/10, SUSE 15, and Ubuntu via the ShapeBlue and CloudStack community repositories.
Security teams should prioritize the following steps in their incident response workflow:
- Turn off the Backup plugin if it is not operationally required, to neutralize CVE-2025-66170, CVE-2025-66171, and CVE-2025-66172 as a temporary mitigation
- Audit MinIO bucket policies and check for orphaned access keys associated with deleted buckets (CVE-2025-66467)
- Apply
user.vm.denied.detailsglobal configuration to block modification ofproxmox_vmidin Proxmox-integrated environments (CVE-2026-25199) - Apply patches immediately, especially for KVM-based deployments exposed to CVE-2026-25077, which carries the broadest attack surface coverage spanning from CloudStack 4.11.0 onward.
FAQs
Q1: Which CVE in this advisory is the most severe?
CVE-2026-25077 is the most critical, enabling unauthenticated command injection via malicious templates that can compromise KVM hypervisor hosts with arbitrary code execution.
Q2: Are CloudStack deployments without the Backup plugin affected?
No, CVE-2025-66170, CVE-2025-66171, and CVE-2025-66172 only affect environments where the CloudStack Backup plugin is explicitly enabled.
Q3: Is there a workaround for CVE-2026-25199 without upgrading?
Yes, administrators can add proxmox_vmid to the user.vm.denied.details global configuration parameter to prevent users from modifying this setting.
Q4: Where can administrators download the patched CloudStack releases?
Patched releases 4.20.3.0 and 4.22.0.1 are available at cloudstack.apache.org/downloads and via ShapeBlue’s package repository at shapeblue.com/cloudstack-packages.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
