Description
The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
Published: 2026-05-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper access logic in the CloudStack Backup plugin allows any authenticated CloudStack user to create new virtual machines from backups belonging to other users. The flaw enables a non‑admin actor to instantiate a VM with the same resources and data as the original backup, potentially giving them hidden access to sensitive workloads and infrastructure.

Affected Systems

Apache CloudStack environments running versions 4.21.0.0 or 4.22.0.0 with the Backup plugin enabled are affected. Users should upgrade to version 4.22.0.1 or later, which includes the necessary access‑control revision.

Risk and Exploitability

The vulnerability requires only authenticated access and the availability of the Backup plugin’s APIs. Exploitability is high for legitimate users within the environment; however, no public exploits are currently documented. The CVSS score of 6.5 indicates medium‑high severity, and with no EPSS figure the exact likelihood of exploitation remains unknown. Nonetheless, the ability to create arbitrary virtual machines from any user's backups poses significant risks to confidentiality, integrity, and availability.

Generated by OpenCVE AI on May 8, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CloudStack to 4.22.0.1 or a later release that contains the access‑control fix.
  • If upgrade is unavailable, disable or remove the Backup plugin until a patch is applied.
  • Restrict API permissions so users cannot list or access backups of other accounts, ensuring only authorized roles retain backup restoration rights.

Generated by OpenCVE AI on May 8, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
Vendors & Products Apache
Apache cloudstack

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
Title Apache CloudStack: Any user can create a new VM from backups they should not have access to
Weaknesses CWE-359
References

Subscriptions

Apache Cloudstack
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-09T06:42:59.830Z

Reserved: 2025-11-22T19:26:43.923Z

Link: CVE-2025-66171

cve-icon Vulnrichment

Updated: 2026-05-09T06:42:59.830Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-08T13:16:35.483

Modified: 2026-05-09T07:16:08.297

Link: CVE-2025-66171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:00:12Z

Weaknesses