CVE-2025-26521
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-10

Last updated on: 2025-07-01

Assigner: Apache Software Foundation

Description
When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account. CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details: Account Name kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID> First Name Kubernetes Last Name Service User Account Type 0 (Normal User) Role ID <ID_OF_SERVICE_ROLE> 2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted. 3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account. 4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data: Β Β Β api-url = <API_URL> Β  Β  # For example: <MS_URL>/client/api Β  api-key = <SERVICE_USER_API_KEY> Β  secret-key = <SERVICE_USER_SECRET_KEY> Β  project-id = <PROJECT_ID> Delete the existing secret using kubectl and Kubernetes cluster config: Β Β Β ./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret Create a new secret using kubectl and Kubernetes cluster config: Β  Β  ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config Remove the temporary file: Β  Β  rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-10
Last Modified
2025-07-01
Generated
2026-05-07
AI Q&A
2025-06-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-26521
EUVD
EUVD-2025-18065
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cloudstack From 4.17.0.0 (inc) to 4.19.3.0 (exc)
apache cloudstack From 4.20.0.0 (inc) to 4.20.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs when an Apache CloudStack user creates a CKS-based Kubernetes cluster in a project. The API key and secret key of the 'kubeadmin' user from the creator's account are embedded in the cluster's secret configuration. Any project member who can access the Kubernetes cluster can also access these keys, allowing them to impersonate the 'kubeadmin' user and perform privileged actions. This can lead to a complete compromise of the confidentiality, integrity, and availability of the creator's account resources.


How can this vulnerability impact me? :

If you are a member of a project with a CKS-based Kubernetes cluster created by another user, you could gain unauthorized access to the API and secret keys of the cluster creator's 'kubeadmin' user. This would allow you to impersonate that user and perform privileged actions, potentially leading to full compromise of the creator's account resources, including unauthorized data access, modification, or service disruption.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if the Kubernetes cluster secret 'cloudstack-secret' in the 'kube-system' namespace contains the API key and secret key of the 'kubeadmin' user of the creator's account. Use the following command to inspect the secret: `kubectl --kubeconfig kube.conf -n kube-system get secret cloudstack-secret -o yaml`. If the secret contains the creator's 'kubeadmin' API and secret keys, the cluster is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, follow these steps: 1) Create a new service account with the role 'Project Kubernetes Service Role' named 'kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID>'. 2) Add this service account to the project hosting the Kubernetes cluster(s). 3) Generate API and secret keys for this new service account. 4) Create a temporary file '/tmp/cloud-config' with the new service account's API URL, API key, secret key, and project ID. 5) Delete the existing 'cloudstack-secret' in the Kubernetes cluster using: `kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret`. 6) Create a new secret with the updated credentials using: `kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config`. 7) Remove the temporary file. 8) Regenerate API and secret keys for the original user account that created the Kubernetes cluster. Additionally, upgrade CKS to version 4.19.3.0 or 4.20.1.0 which contains the fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart