CVE-2025-66172 - Vulnerability Details

- Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to

Description

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

Published: 2026-05-08

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CloudStack Backup plugin fails to enforce authorization when restoring volume backups, allowing any authenticated user who has permission to the restore API to recover volumes that belong to other users. This flaw permits a user to attach an arbitrary‑owned backup to their own VM, exposing the original user's data and potentially disrupting their resources. The weakness is a missing authorization check, classified as CWE‑359.

Affected Systems

Apache CloudStack 4.21.0.0 and 4.22.0.0 with the Backup plugin enabled are affected. The vulnerability can be exploited in any environment where the plugin is on and the restore API is accessible. The issue is resolved by upgrading to CloudStack 4.22.0.1 or a later release that includes the fix.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of 0.00011, which is less than 1%, indicates a very low but nonzero exploitation probability; the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits are active. The attack requires only normal authenticated access, suggesting a likely intra‑tenant degree of access. The risk lies primarily in the confidentiality and integrity of other tenants’ data and could be high if the attacker can perform large‑scale data retrievals. In the absence of active exploitation, continuous monitoring of restore API activity is advised.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache CloudStack

unaffected

Version	Status	Constraints
`4.21.0.0`	affected	≤ 4.22.0.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache CloudStack to version 4.22.0.1 or later to apply the vendor fix.
If an upgrade is not possible immediately, disable the Backup plugin or remove user permissions for the volume restore API.
Ensure that only roles with explicit restore privileges are granted access to the backup functionality, implementing strict role‑based access controls to prevent cross‑tenant data recovery.

Generated by OpenCVE AI on May 10, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/09/3
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

History

Sun, 10 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 09 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/09/3

Fri, 08 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
Title		Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
Weaknesses		CWE-359
References		https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-08T12:13:18.311Z

Updated: 2026-05-10T14:31:30.028Z

Reserved: 2025-11-22T19:27:07.615Z

Link: CVE-2025-66172

Vulnrichment

Updated: 2026-05-09T06:43:01.212Z

NVD

Status : Undergoing Analysis

Published: 2026-05-08T13:16:35.607

Modified: 2026-05-10T15:16:26.520

Link: CVE-2025-66172

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-10T17:00:12Z

Weaknesses

CWE-359

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object