CVE-2025-66170 - Vulnerability Details

- Apache CloudStack: Any user can list backups that they should not have access to

Description

The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.

Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.

Published: 2026-05-08

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper authorization flaw in the CloudStack Backup plugin that allows any authenticated user to enumerate backups belonging to any account. While the attacker cannot read backup contents, the ability to list backup identifiers exposes sensitive operational information and could be used to inform future targeted attacks. Based on the description, it is inferred that the enumeration of backups could assist attackers in refining social engineering or other attack vectors, though this use is not explicitly confirmed.

Affected Systems

Apache Software Foundation’s Apache CloudStack is impacted when the Backup plugin is enabled. Versions 4.21.0.0 and 4.22.0.0 contain the flaw and must be considered vulnerable. All environments running these versions should be evaluated for the presence of the plugin.

Risk and Exploitability

The vulnerability can be exercised by any authenticated user via normal API calls. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly disclosed exploits to date. The CVSS score is 6.5, and the risk is primarily driven by potential information disclosure that may aid attackers in planning further operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache CloudStack

unaffected

Version	Status	Constraints
`4.21.0.0`	affected	≤ 4.22.0.0

No data.

Vendor Product Confidence Versions

Apache

Cloudstack

95%

Version	Status	Scheme	Platform
`[4.21.0.0,4.22.0.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache CloudStack to version 4.22.0.1 or later to apply the vendor patch for the backup plugin authorization logic.
If an upgrade cannot be performed immediately, disable or remove the Backup plugin from the CloudStack environment to eliminate the attack surface.
Restrict API permissions so that only privileged roles possess access to backup listing functionality.
Monitor audit logs for unexpected backup list requests and investigate any anomalies.

Generated by OpenCVE AI on May 8, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/09/1
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

History

Sat, 09 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/09/1

Fri, 08 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache cloudstack
Vendors & Products		Apache Apache cloudstack

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup. Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.
Title		Apache CloudStack: Any user can list backups that they should not have access to
Weaknesses		CWE-863
References		https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Subscriptions

Apache Cloudstack

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-08T12:06:32.467Z

Updated: 2026-05-09T06:42:58.243Z

Reserved: 2025-11-22T19:26:03.523Z

Link: CVE-2025-66170

Vulnrichment

Updated: 2026-05-09T06:42:58.243Z

NVD

Status : Undergoing Analysis

Published: 2026-05-08T13:16:35.360

Modified: 2026-05-09T07:16:08.070

Link: CVE-2025-66170

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T20:00:12Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object