Improper Authorization Logic in CloudStack Backup Plugin Affects Apache Software Foundation
CVE-2025-66170

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Cloudstack
Vendor: CVE Published:; 8 May 2026

What is CVE-2025-66170?

The CloudStack Backup plugin features an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. This issue allows authenticated users in CloudStack environments to access specific APIs, enabling them to list backups from any user account within the environment. However, it does not permit access to the contents of those backups. It is highly recommended that users upgrade to version 4.22.0.1 to mitigate this vulnerability.

Affected Version(s)

Apache CloudStack 4.21.0.0 <= 4.22.0.0

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02k...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Nov 22, 2025

Credit

Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com>

Fabricio Duarte <fabricio.duarte.jr@gmail.com>

Gabriel Pordeus Santos <gabrielpordeus@gmail.com>

CVE-2025-66170 Data

JSON