CVE-2025-66467
Analyzed Analyzed - Analysis Complete
MinIO Policy Retention Flaw in Apache CloudStack

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: Apache Software Foundation

Description
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2025-66467
EUVD
EUVD-2025-209743
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cloudstack From 4.21.0.0 (inc) to 4.22.0.1 (exc)
apache cloudstack From 4.19.0.0 (inc) to 4.20.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because Apache CloudStack does not properly clean up MinIO policies when a bucket is deleted. As a result, users who previously owned a bucket can retain access to it even after deletion.

If another user creates a new bucket with the same name as the deleted one, the previous owners can use their old access and secret keys to gain unauthorized read and write access to the new bucket.

Impact Analysis

This vulnerability can lead to unauthorized access to data stored in buckets. Previous owners of a deleted bucket may gain read and write access to a new bucket with the same name, potentially exposing sensitive information or allowing malicious modifications.

The CVSS score of 8.0 indicates a high severity, meaning the impact on confidentiality, integrity, and availability can be significant.

Mitigation Strategies

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Compliance Impact

This vulnerability allows previous owners of deleted buckets to retain unauthorized read and write access if a new bucket with the same name is created by another user. Such unauthorized access to data can lead to violations of data protection and privacy regulations.

Specifically, this could impact compliance with standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive data. Unauthorized access due to improper cleanup of access policies may result in data breaches, leading to non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart