Authorization Flaw in Apache CloudStack Affects User Access Control
CVE-2025-66467

8HIGH

Key Information:

Vendor: Apache
Status: Apache Cloudstack
Vendor: CVE Published:; 8 May 2026

What is CVE-2025-66467?

A significant security issue exists in Apache CloudStack that allows retained access to user-owned buckets even after their deletion. This vulnerability enables former owners of deleted buckets to access new buckets with the same name created by other users, leveraging previously issued access and secret keys. To secure your environment, it is recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1 or later, which address this access control issue.

Affected Version(s)

Apache CloudStack 4.19.0.0 <= 4.20.2.0

Apache CloudStack 4.21.0.0 <= 4.22.0.0

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02k...

vendor-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Dec 2, 2025

Credit

Roman Kozello <roman.kozello@gmail.com>

CVE-2025-66467 Data

JSON