CVE-2026-25199CRITICAL 9.1EPSS p38.8%

CVE-2026-25199CVE-2026-25199

Description

Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine. Users are recommended to upgrade to version 4.22.0.1, which fixes this issue. As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.50% probability of exploitation · percentile 38.8% · 2026-06-19T12:03:05Z
Published2026-05-08
Last modified2026-05-09

Underlying weaknesses· 1

CWE-200

References

  1. https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
  2. http://www.openwall.com/lists/oss-security/2026/05/09/7

1

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66172
CVE
CVE-2026-25077
CVE
CVE-2025-47849
CVE
CVE-2025-47713
CVE
CVE-2025-66467
CVE
CVE-2026-39910
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.