External risk intelligence

Apache CloudStack could allow internal attacker to control other tenants' virtual machines.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-25199

An internal attacker with legitimate access to Apache CloudStack can hijack other tenants' virtual machines. This could allow them to stop, start, or destroy those machines, resulting in service disruption and potential compromise of sensitive cloud resources.

2Halo Surface Signal

Information Disclosure

Apache Cloudstack

4.21.0.0 to before 4.22.0.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-25199

The vulnerability resides in the authenticated management interface of Apache CloudStack. While the portal may be web-accessible, the exploit requires a legitimate, authenticated user account to manipulate instance settings. Because this is not an unauthenticated, public-facing entry point but rather a logic flaw accessible only to authorized users, it is shielded by internal access controls.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Apache CloudStack allows unauthorized access to virtual machines belonging to other tenants. An attacker can modify a specific instance setting to control another user's virtual machine, including starting, stopping, or destroying it. This could lead to significant disruption and data compromise.

  • Allows control of other users' machines.
  • Impacts multi-tenant environments.
  • Requires existing user access.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by manipulating a user-editable instance setting to reference a virtual machine (VM) belonging to another tenant within Proxmox. This allows unauthorized access and control over other users' VMs, including starting, stopping, or destroying them. The attack relies on predictable VM IDs and the lack of proper validation of this setting.

  • Requires authenticated access.
  • Targets instance settings.
  • Predictable VM IDs are key.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthorized access to other tenants' instances by manipulating a user-editable instance setting. Attackers may find this attractive because it enables full control over targeted virtual machines without requiring elevated privileges beyond a standard user account, provided they can access the CloudStack management interface. However, attackers dislike weaponizing such vulnerabilities if they are not easily discoverable or if exploitation requires specific, pre-existing access and knowledge of the environment.

  • Exploitation requires authenticated user.
  • No public exploit code observed.
  • Recent publication date.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Apache CloudStack to version 4.22.0.1 to address unauthorized cross-tenant access. If immediate patching is not feasible, implement the suggested workaround by adding `proxmox_vmid` to the `user.vm.denied.details` global configuration parameter to prevent user-editable instance settings.

  • Apply patch to version 4.22.0.1.
  • Block `proxmox_vmid` in global config.
  • Monitor logs for suspicious instance access.

Frequently asked questions

What is Apache CloudStack and its primary function?

Apache CloudStack is a software platform designed for deploying and managing virtual machines and other cloud computing resources. It enables organizations to build and operate public or private clouds, facilitating the provisioning and control of infrastructure for applications and services.

What type of weakness does CVE-2026-25199 represent?

CVE-2026-25199 involves an Improper Input Validation weakness. This means the software fails to adequately check or restrict user-provided data, potentially allowing attackers to bypass security controls and gain unauthorized access.

How can an attacker exploit CVE-2026-25199 in Proxmox-deployed instances?

An attacker can exploit this by manipulating the `proxmox_vmid` instance setting, which is user-editable. Since this setting is not validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can reference a VM belonging to another account, gaining unauthorized cross-tenant access.

What is the relevance of CVE-2026-25199 in a multi-tenant environment?

This vulnerability is significant in multi-tenant environments because it allows an authenticated attacker to gain full control over virtual machines belonging to other tenants. They can start, stop, or destroy these VMs, leading to disruption and potential data compromise.

What actions should be taken to address CVE-2026-25199?

Users should upgrade Apache CloudStack to version 4.22.0.1. As a workaround for existing installations, prevent user editing of the `proxmox_vmid` instance detail by adding it to the `user.vm.denied.details` global configuration parameter.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified