Vulnerability in Apache CloudStack Affects Kubernetes Clusters Created by Users
CVE-2025-26521

8.1HIGH

Key Information:

Vendor

Apache
Status
Apache Cloudstack
Vendor
CVE Published:
10 June 2025

What is CVE-2025-26521?

An issue in Apache CloudStack allows project members to access the 'kubeadmin' user's API key and secret key when a CKS-based Kubernetes cluster is created. This exposure enables unauthorized users to impersonate the creator and perform actions that can compromise the resources and integrity of the creator's account. To mitigate this risk, users should update to versions 4.19.3.0 or 4.20.1.0 and implement proper service accounts for project-specific clusters. Following security best practices is essential to safeguarding sensitive information.

Affected Version(s)

Apache CloudStack 4.17.0.0 < 4.19.3.0

Apache CloudStack 4.20.0.0 < 4.20.1.0

References

https://cloudstack.apache.org/blog/cve-advisories-4.19.3....
vendor-advisory
https://www.shapeblue.com/shapeblue-security-advisory-apa...
third-party-advisory
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39...
mailing-list

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2025-26521 : Vulnerability in Apache CloudStack Affects Kubernetes Clusters Created by Users