Home / Vulnerability Intelligence / CVE-2026-25199

CVE-2026-25199 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: May 9, 2026

Apache CloudStack - Broken Access Control

Published: May 8, 2026Updated: May 9, 2026Remote Exploitable

Overview

Apache CloudStack 4.21.0.0 through 4.22.0.0 contains a broken access control caused by improper validation of user-editable proxmox_vmid instance setting in Proxmox extension, letting non-privileged attackers access and control VMs of other tenants, exploit requires tenant access to modify instance settings.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Non-privileged attackers can fully control virtual machines of other tenants, including starting, stopping, and destroying them.

Mitigation

Upgrade to version 4.22.0.1 or later.

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
http://www.openwall.com/lists/oss-security/2026/05/09/7

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-25199
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: modified

CWE

CWE-200

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N