CVE-2025-66467
Analyzed Analyzed - Analysis Complete

MinIO Policy Retention Flaw in Apache CloudStack

Vulnerability report for CVE-2025-66467, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: Apache Software Foundation

Description

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-07-09
AI Q&A
2026-05-08
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache cloudstack From 4.21.0.0 (inc) to 4.22.0.1 (exc)
apache cloudstack From 4.19.0.0 (inc) to 4.20.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs because Apache CloudStack does not properly clean up MinIO policies when a bucket is deleted. As a result, users who previously owned a bucket can retain access to it even after deletion.

If another user creates a new bucket with the same name as the deleted one, the previous owners can use their old access and secret keys to gain unauthorized read and write access to the new bucket.

Impact Analysis

This vulnerability can lead to unauthorized access to data stored in buckets. Previous owners of a deleted bucket may gain read and write access to a new bucket with the same name, potentially exposing sensitive information or allowing malicious modifications.

The CVSS score of 8.0 indicates a high severity, meaning the impact on confidentiality, integrity, and availability can be significant.

Mitigation Strategies

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Compliance Impact

This vulnerability allows previous owners of deleted buckets to retain unauthorized read and write access if a new bucket with the same name is created by another user. Such unauthorized access to data can lead to violations of data protection and privacy regulations.

Specifically, this could impact compliance with standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive data. Unauthorized access due to improper cleanup of access policies may result in data breaches, leading to non-compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart