← Back
CVE-2026-25199
critical
CVSS 9.1
Information Disclosure in apache (CVE-2026-25199)
Summary
vulnerability in apache (CVE-2026-25199). Confidential information can be exposed externally.
AI summary openai / gpt-4o
A critical vulnerability has been discovered in the Proxmox extension of Apache CloudStack, allowing unauthorized access to other users' instances. Versions affected are 4.21.0.0 to 4.22.0.0, with the issue fixed in version 4.22.0.1. This flaw can lead to severe damage as it enables full control over virtual machines. Immediate action is required, including a workaround to prevent users from editing settings.
The Proxmox extension in Apache CloudStack has a vulnerability due to the improper handling of the proxmox_vmid setting, which is editable by users. This affects versions 4.21.0.0 to 4.22.0.0, with a fix in 4.22.0.1. The lack of validation against tenant ownership and predictable Proxmox VM IDs allows attackers to change the reference to another tenant's VM for full unauthorized access. As a workaround, add proxmox_vmid to "user.vm.denied.details" to prevent editing. Detection methods are not specified in the provided materials.
❓ What is the problem
Cross-tenant unauthorized access in Apache CloudStack via Proxmox extension.
📍 Affected scope
Apache CloudStack versions 4.21.0.0 through 4.22.0.0.
🔥 Severity
Critical severity with CVSS score 9.1 indicating network exploitability with no privileges required.
🔧 How to fix
Upgrade to Apache CloudStack version 4.22.0.1.
🛡️ Workaround
Add proxmox_vmid to the global configuration parameter 'user.vm.denied.details' to prevent editing by users.
🔍 Detection
Not specified in provided materials.
Related past incidents Similar incidents extracted from past CVEs
Similar unauthorized access issue allowing full control over target system.
Also involved unauthorized remote access due to improper resource validation.
Known as Log4Shell, involved unauthorized access through a different attack vector.
If this happens at your company Expected impact per business scenario
📌 ECサイトの運営企業
顧客の個人情報やクレジットカード情報が盗まれる可能性がある。
📌 社内業務システム
社内業務データが外部から不正にアクセスされ、機密情報が漏洩するリスクがある。
📌 クラウドサービスプロバイダー
複数のクラウドテナントからのデータ漏洩により、顧客からの信頼が失われるおそれ。
Recommended action
速やかにバージョン4.22.0.1へのアップグレードを行い、該当設定の変更をユーザーに許可しないよう設定を変更すること。
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'apache' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `apache` を grep し、稼働しているサービス・バージョンを把握する。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。