Description
Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.


Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Published: 2026-05-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing file name sanitization during template registration allows an attacker to register a malicious template that, when deployed, injects arbitrary commands into the KVM hypervisor. This flaw enables the attacker to execute code on the underlying host, thereby compromising resource integrity, confidentiality, causing data loss, denial of service, and disrupting the availability of the KVM‑based environment.

Affected Systems

Apache CloudStack releases prior to 4.20.3.0 or 4.22.0.1, which still permit user‑initiated template registration for KVM deployments.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of < 1% shows a very low probability of exploitation and the flaw is not listed in the CISA KEV catalog. The likely attack is via the CloudStack web UI or API, where any user with template‑registration privileges can submit a malicious file name. Upon deployment, the injected commands run on the hypervisor, allowing full control of the host and the entire infrastructure.

Generated by OpenCVE AI on May 10, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CloudStack to version 4.20.3.0, 4.22.0.1, or any later release that contains the fix
  • Restrict template registration privileges to administrator accounts and enforce least privilege so that non‑admin users cannot register templates
  • Implement strict validation and sanitization of template file names before registration to eliminate shell metacharacters and path traversal sequences

Generated by OpenCVE AI on May 10, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 09 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
Vendors & Products Apache
Apache cloudstack

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Title Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates
Weaknesses CWE-94
References

Subscriptions

Apache Cloudstack
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-10T14:31:54.919Z

Reserved: 2026-01-28T22:03:17.222Z

Link: CVE-2026-25077

cve-icon Vulnrichment

Updated: 2026-05-09T06:43:05.523Z

cve-icon NVD

Status : Modified

Published: 2026-05-08T13:16:36.133

Modified: 2026-05-10T15:16:27.330

Link: CVE-2026-25077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T17:00:12Z

Weaknesses