Primary

Context

Apache CloudStack Backup Plugin Improper Access Vulnerability Allowing Unauthorized VM Creation

Vulnerability

Patched

A vulnerability in the Apache CloudStack Backup plugin, present in versions 4.21.0.0 and 4.22.0.0, allows authenticated users to create new virtual machines (VMs) using backups from other users. This issue arises from improper access logic in the backup plugin, which is enabled in certain environments. Users with access to specific APIs can exploit this vulnerability to misuse backups that do not belong to them.

Impact

Exploitation of this vulnerability allows unauthorized users to create VMs from backups of other users, potentially leading to unauthorized access or use of data.

Remediation

Users are advised to upgrade to Apache CloudStack version 4.22.0.1 or later, which addresses this vulnerability.

Added: May 8, 2026, 1:33 PM

Updated: May 8, 2026, 1:33 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

4.8

remediation

8.3

relevance

7.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

4.8

remediation

8.3

relevance

7.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache CloudStack Backup Plugin Improper Access Vulnerability Allowing Unauthorized VM Creation

Vulnerability

Impact

Remediation

Affected Products

Apache CloudStack

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating