Apache CloudStack: Any user can list backups that they should...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.

Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.

Basic Information

ID CVE-2025-66170

Source apache

Published May 8, 2026 at 12:06

Modified May 8, 2026 at 17:57

Affected Product

Vendor Apache Software Foundation

Product Apache CloudStack

Version 4.21.0.0

Affected Versions Apache Software Foundation Apache CloudStack 4.21.0.0

CWE Classification

CWE-863

References

lists.apache.org /thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

{
    "lastseen": "",
    "description": "The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.\n\nUsers are recommended to upgrade to version 4.22.0.1, which fixes the issue.",
    "published": "2026-05-08T12:06:32.467Z",
    "modified": "2026-05-08T17:57:26.694Z",
    "type": "cve",
    "title": "Apache CloudStack: Any user can list backups that they should not have access to",
    "source": "apache",
    "references": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm",
    "id": "CVE-2025-66170",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache CloudStack 4.21.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache CloudStack",
    "version": "4.21.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache CloudStack: Any user can list backups that they should not have access to_CVE-2025-66170