CVE-2025-66172 | THREATINT

Description

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

PUBLISHED Reserved 2025-11-22 | Published 2026-05-08 | Updated 2026-05-08 | Assigner apache

Problem types

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

Product status

Default status

unaffected

4.21.0.0 (custom)

affected

Credits

Gabriel Pordeus reporter

References

lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm vendor-advisory

cve.org (CVE-2025-66172)

nvd.nist.gov (CVE-2025-66172)

Download JSON