Volerion logoVolerion
Volerion logoVolerion

Apache CloudStack MinIO Policy Retention Vulnerability on Bucket Deletion

Vulnerability

A vulnerability in Apache CloudStack related to MinIO policy management allows users to retain access to previously owned buckets even after deletion. This issue is present in Apache CloudStack versions 4.19.0.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0. The vulnerability arises because the policy cleanup is not properly executed during bucket deletion. As a result, if a new bucket is created with the same name by another user, the previous owner can access it without authorization using their old access and secret keys.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of MinIO buckets, allowing users to read from and write to buckets they should not have access to.

Remediation

Users are advised to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1 or later, which address this vulnerability.

Added: May 8, 2026, 1:32 PM
Updated: May 8, 2026, 1:32 PM

Vulnerability Rating

Custom Algorithm
spread
6.2
impact
5.0
exploitability
6.2
remediation
7.7
relevance
7.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.