CVE-2025-66467

Published May 8, 2026

Last updated 2 days ago

CVSS high 8.0

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-66467 describes a vulnerability within Apache CloudStack related to MinIO policy cleanup. The issue arises when MinIO policies are not properly removed after a bucket is deleted via Apache CloudStack. This oversight allows former owners of a bucket to retain their access permissions. Consequently, if a new bucket is subsequently created with the identical name, the previous owners can exploit their retained access and secret keys to gain unauthorized read and write access to the newly created bucket. Users are advised to update to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, to address this vulnerability.

Description
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Source
security@apache.org
NVD status
Analyzed
Products
cloudstack

Risk scores

CVSS 3.1

Type
Primary
Base score
8.1
Impact score
5.2
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Severity
HIGH

Weaknesses

security@apache.org
CWE-459

Social media

Hype score
Not currently trending

  1. CVE-2025-66467 Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a … https://t.co/WV99Skw3gk

    @CVEnew

    9 May 2026

    350 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-66467 Unauthorized Bucket Access via Uncleared MinIO Policies in Apache CloudStack https://t.co/4IbPNbbIuY

    @VulmonFeeds

    8 May 2026

    175 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️ HIGH — CVE-2025-66467 Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which th… CVSS 8.0 Full analysis → https://t.co/XTdRLNIp5b #Apache #CyberSecurity #InfoSec

    @KaitanSecurity

    8 May 2026

    256 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine. Users are recommended to upgrade to version 4.22.0.1, which fixes this issue. As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.CVE-2026-25199
  2. Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.CVE-2026-25077
  3. Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.CVE-2025-69233
  4. The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.CVE-2025-66172
  5. The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.CVE-2025-66171

References

Sources include official advisories and independent security research.