CVE-2025-66170

Apache CloudStack: Any user can list backups that they should not have access to

Description

The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup. Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.

INFO

Published Date :

2026-05-08T12:06:32.467Z

Last Modified :

2026-05-08T12:06:32.467Z

Source :

apache

AFFECTED PRODUCTS

The following products are affected by CVE-2025-66170 vulnerability.

Vendors	Products
Apache	Cloudstack

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66170.

URL	Resource
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

CVE-2025-66170

Apache CloudStack: Any user can list backups that they should not have access to

Description

INFO

2026-05-08T12:06:32.467Z

2026-05-08T12:06:32.467Z

apache

AFFECTED PRODUCTS

REFERENCES

CVSS Vulnerability Scoring System