Improper Access Logic in CloudStack Backup Plugin Affects Apache Software Foundation
CVE-2025-66172

8.1HIGH

Key Information:

Vendor: Apache
Status: Apache Cloudstack
Vendor: CVE Published:; 8 May 2026

What is CVE-2025-66172?

The CloudStack Backup plugin is affected by improper access logic in versions 4.21.0.0 and 4.22.0.0. Users with authenticated accounts can exploit this vulnerability to restore volumes from backups associated with other users, enabling them to attach these volumes to their own virtual machines. This flaw places sensitive data at risk, as unauthorized users can access and manipulate other users' backups. Users of the affected versions are urged to upgrade to CloudStack 4.22.0.1 to rectify this security lapse.

Affected Version(s)

Apache CloudStack 4.21.0.0 <= 4.22.0.0

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02k...

vendor-advisory

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Nov 22, 2025

Credit

Gabriel Pordeus

CVE-2025-66172 Data

JSON