Executive Summary

CVE-2026-39910 is a critical vulnerability in the STACKIT IaaS API caused by a missing authorization check. It allows authenticated attackers with low privileges to escalate their access to full organization compromise. The attackers exploit an unvalidated PUT request to the servers service-accounts endpoint to attach high-privileged service accounts to virtual machines they control.

Once the high-privileged service accounts are attached, attackers can query the Instance Metadata Service to retrieve OAuth2 tokens. This bypasses tenant boundaries and grants unauthorized control over the entire organization environment.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to escalate privileges and gain unauthorized control over the entire organization environment by bypassing tenant boundaries and attaching high-privileged service accounts to virtual machines they control.

Such unauthorized access and full organizational compromise can lead to exposure or misuse of sensitive data, which may violate compliance requirements under common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive information.

Therefore, this vulnerability poses a significant risk to maintaining compliance with these regulations due to the potential for data breaches and unauthorized data access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete takeover of your organization’s environment. An attacker with low privileges can escalate their access to full administrative control by attaching high-privileged service accounts to virtual machines they control.

With this unauthorized access, attackers can retrieve OAuth2 tokens and bypass tenant boundaries, potentially leading to data breaches, unauthorized resource manipulation, and disruption of services within your organization.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized PUT requests to the servers service-accounts endpoint in the STACKIT IaaS API. Specifically, look for attempts by low-privileged authenticated users to attach high-privileged service accounts to virtual machines they control.

Commands to detect such activity might include inspecting API logs for suspicious PUT requests targeting the service-accounts endpoint, for example using tools like curl or API gateway logs.

• Check API access logs for PUT requests to the /servers/service-accounts endpoint.
• Use commands like: curl -X PUT https://<stackit-api-endpoint>/servers/service-accounts -H "Authorization: Bearer <token>" to test if unauthorized service account attachment is possible.
• Monitor virtual machine metadata service queries for OAuth2 tokens that should not be accessible to low-privileged users.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the STACKIT IaaS API to a version later than 2026-05-28 where the missing authorization check vulnerability is fixed.

Additionally, restrict access to the servers service-accounts endpoint to only fully authorized users and monitor for suspicious activity involving service account attachments.

• Apply the security patch or upgrade the STACKIT IaaS API to a fixed version.
• Implement strict authorization checks on the service-accounts endpoint.
• Audit and monitor API usage logs for unauthorized privilege escalation attempts.

Useful 0 Not Useful 0