CVE-2026-25199
Modified Modified - Updated After Analysis
Unauthorized Cross-Tenant Access in Apache CloudStack Proxmox Extension

Publication date: 2026-05-08

Last updated on: 2026-05-09

Assigner: Apache Software Foundation

Description
Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine. Users are recommended to upgrade to version 4.22.0.1, which fixes this issue. As a workaround for the existing installations,Β editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-25199
EUVD
EUVD-2026-28550
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache cloudstack From 4.21.0.0 (inc) to 4.22.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Proxmox extension for Apache CloudStack versions 4.21.0.0 through 4.22.0.0. The extension improperly uses a user-editable instance setting called proxmox_vmid to link CloudStack instances with Proxmox virtual machines.

Because the proxmox_vmid value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify this setting to reference a virtual machine belonging to another tenant.

This allows unauthorized cross-tenant access, giving the attacker full control over the targeted virtual machine, including the ability to start, stop, and destroy it.

Compliance Impact

This vulnerability allows unauthorized cross-tenant access to virtual machines, enabling attackers to control instances belonging to other tenants. Such unauthorized access to data and systems can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and tenant data isolation.

By permitting non-privileged users to access and control resources of other tenants, the vulnerability undermines confidentiality and integrity requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.

Impact Analysis

The vulnerability can lead to unauthorized access to virtual machines belonging to other tenants within the same CloudStack environment.

An attacker with non-privileged access can gain full control over another tenant's virtual machine, including starting, stopping, and destroying it.

This can result in data loss, service disruption, and potential compromise of sensitive information hosted on the affected virtual machines.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache CloudStack to version 4.22.0.1, which contains the fix.

As a workaround for existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter user.vm.denied.details.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart