Unauthorized Access Vulnerability in Apache CloudStack via Proxmox Extension
CVE-2026-25199

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Cloudstack
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-25199?

The Proxmox extension in Apache CloudStack has a serious flaw that allows non-privileged users to gain unauthorized access to CloudStack instances belonging to other tenants. This vulnerability arises from the improper handling of the user-editable 'proxmox_vmid' instance setting, which does not validate tenant ownership and allows malicious users to manipulate it to gain control over VMs of different accounts. The misuse of this predictable VM ID can enable attackers to start, stop, or destroy another tenant's virtual machines. Users are advised to upgrade to version 4.22.0.1 to mitigate this risk, and a temporary workaround is available by restricting access to the 'proxmox_vmid' detail through global configuration.

Affected Version(s)

Apache CloudStack 4.21.0 <= 4.22.0

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02k...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Jan 30, 2026

Credit

Sander Grendelman <sander.grendelman@axians.com>

CVE-2026-25199 Data

JSON