Description
Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.




This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.




The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.




Users are recommended to upgrade to version 4.22.0.1, which fixes this issue.




As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.
Published: 2026-05-08
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Instances deployed using the Proxmox extension are linked to Proxmox virtual machines through a user‑editable detail, proxmox_vmid. Because this value is neither restricted nor validated against tenant ownership, an attacker who can modify instance details can point their instance to another tenant’s virtual machine. That attacker then gains complete operational control over the targeted VM—starting, stopping, or destroying it—without needing higher privileges or cloud‑network access. The weakness is a confidentiality breach (CWE‑200).

Affected Systems

The vulnerability resides in the Proxmox extension for Apache CloudStack, affecting all releases from 4.21.0.0 up through 4.22.0.0. Any tenant using those versions with the Proxmox integration is susceptible.

Risk and Exploitability

The CVSS score is 9.1, indicating severe risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is modification of the proxmox_vmid detail via CloudStack’s API or web console, which can be performed by a non‑privileged user on their own instance. Because Proxmox VM IDs are predictable and unchecked, an attacker can pivot across tenants, making exploitation realistic in an environment where tenant isolation is expected.

Generated by OpenCVE AI on May 8, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CloudStack to version 4.22.0.1, which removes the unvalidated proxmox_vmid association.
  • Add the name proxmox_vmid to the global setting user.vm.denied.details to prevent users from editing this instance detail.
  • Limit editing of instance details to privileged administrators and enforce tenant ownership checks for the proxmox_vmid value.

Generated by OpenCVE AI on May 8, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
Vendors & Products Apache
Apache cloudstack

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine. Users are recommended to upgrade to version 4.22.0.1, which fixes this issue. As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.
Title Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access
Weaknesses CWE-200
References

Subscriptions

Apache Cloudstack
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-09T06:43:07.020Z

Reserved: 2026-01-30T04:45:03.322Z

Link: CVE-2026-25199

cve-icon Vulnrichment

Updated: 2026-05-09T06:43:07.020Z

cve-icon NVD

Status : Modified

Published: 2026-05-08T13:16:36.273

Modified: 2026-05-09T07:16:09.180

Link: CVE-2026-25199

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:00:12Z

Weaknesses