CVE-2025-66171 PUBLISHED

Apache CloudStack: Any user can create a new VM from backups they should not have access to

Assigner: apache
Reserved: 22.11.2025 Published: 08.05.2026 Updated: 09.05.2026

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache CloudStack
Versions	Default: unaffected affected from 4.21.0.0 to 4.22.0.0 (incl.)

Credits

Fabricio Duarte <fabricio.duarte.jr@gmail.com> reporter
Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> reporter
Gabriel Pordeus Santos <gabrielpordeus@gmail.com> reporter

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Problem Types

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor CWE