CVE-2025-66171

Apache CloudStack: Any user can create a new VM from backups they should not have access to

Description

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

INFO

Published Date :

2026-05-08T12:11:03.883Z

Last Modified :

2026-05-08T12:11:03.883Z

Source :

apache

AFFECTED PRODUCTS

The following products are affected by CVE-2025-66171 vulnerability.

Vendors	Products
Apache	Cloudstack

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66171.

URL	Resource
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

CVE-2025-66171

Apache CloudStack: Any user can create a new VM from backups they should not have access to

Description

INFO

2026-05-08T12:11:03.883Z

2026-05-08T12:11:03.883Z

apache

AFFECTED PRODUCTS

REFERENCES

CVSS Vulnerability Scoring System