CVE-2025-66172

Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to

Description

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

INFO

Published Date :

2026-05-08T12:13:18.311Z

Last Modified :

2026-05-08T12:13:18.311Z

Source :

apache

AFFECTED PRODUCTS

The following products are affected by CVE-2025-66172 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66172.

URL	Resource
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

CVE-2025-66172

Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to

Description

INFO

2026-05-08T12:13:18.311Z

2026-05-08T12:13:18.311Z

apache

AFFECTED PRODUCTS

REFERENCES

CVSS Vulnerability Scoring System