Description
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
Published: 2026-06-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization check that permits an authenticated user with low privileges to attach any high‑privilege service account to a virtual machine they own. By unvalidated PUT requests to the servers service‑accounts endpoint, the attacker can then query the Instance Metadata Service to obtain OAuth2 tokens. This effectively bypasses tenant boundaries, giving the attacker control over the entire organization environment and enabling arbitrary code execution, data theft, or further infrastructure compromise.

Affected Systems

The affected system is the STACKIT IaaS API. No specific versions are listed, so all releases that include the servers service‑accounts endpoint are potentially impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. EPSS is not available, but the lack of an official fix and the possibility of exploitation by any authenticated user suggest moderate to high likelihood of use. The attack requires only low‑privilege credentials and the ability to send HTTP requests to the API, which are commonly available in compromised environments. There is no listing in the CISA KEV catalog at present, but the mechanism of bypassing tenant isolation is similar to threats that have appeared in KEV, so vigilance is advised.

Generated by OpenCVE AI on June 8, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for the STACKIT IaaS API when it becomes available.
  • If a patch is not yet released, restrict the PUT servers service‑accounts endpoint to users with the highest privilege roles and enforce a policy that prevents low‑privileged accounts from attaching arbitrary service accounts.
  • Enable comprehensive audit logging for all service account attachments and monitor for anomalous activity.

Generated by OpenCVE AI on June 8, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Stackit
Stackit iaas Api
Vendors & Products Stackit
Stackit iaas Api

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
Title STACKIT IaaS API Privilege Escalation via Service Account Attachment
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Stackit Iaas Api
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T15:47:16.803Z

Reserved: 2026-04-07T20:57:06.209Z

Link: CVE-2026-39910

cve-icon Vulnrichment

Updated: 2026-06-09T15:47:11.780Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T17:16:42.613

Modified: 2026-06-09T13:51:18.770

Link: CVE-2026-39910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:57Z

Weaknesses