CVE 9.3 CRITICAL

STACKIT IaaS API Privilege Escalation via Service Account Attachment_CVE-2026-39910

June 8, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

AI Analysis

Privilege escalation via service account attachment in STACKIT IaaS API

Basic Information

ID CVE-2026-39910

Source VulnCheck

Published Jun 8, 2026 at 16:16

Affected Product

Vendor STACKIT

Product IaaS API

Affected Versions STACKIT IaaS API 0

CWE Classification

CWE-862

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor STACKIT

Product IaaS API

References

{
    "lastseen": "",
    "description": "STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.",
    "published": "2026-06-08T16:16:09.469Z",
    "modified": "2026-06-08T16:16:09.469Z",
    "type": "cve",
    "title": "STACKIT IaaS API Privilege Escalation via Service Account Attachment",
    "source": "VulnCheck",
    "references": "https://status.stackit.cloud\nhttps://www.vulncheck.com/advisories/stackit-iaas-api-privilege-escalation-via-service-account-attachment",
    "id": "CVE-2026-39910",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "STACKIT IaaS API 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "IaaS API",
    "version": "0",
    "vendor": "STACKIT",
    "ai_description": "Privilege escalation via service account attachment in STACKIT IaaS API",
    "ai_severity": "Critical",
    "ai_vendor": "STACKIT",
    "ai_product": "IaaS API",
    "ai_version": "0",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply