Volerion logoVolerion
Volerion logoVolerion

STACKIT IaaS API Missing Authorization Check Vulnerability Allowing Privilege Escalation

Vulnerability

A missing authorization check vulnerability has been identified in the STACKIT IaaS API, affecting versions prior to the 2026-05-28 update. This vulnerability allows authenticated, low-privileged attackers to escalate privileges and compromise entire organizations. By attaching arbitrary service accounts to virtual machines they control, attackers can exploit the unvalidated PUT servers service-accounts endpoint to gain access to high-privileged service accounts. This access enables them to query the Instance Metadata Service for OAuth2 tokens, bypass tenant boundaries, and gain unauthorized control over the organization's environment.

Impact

Exploitation of this vulnerability could lead to unauthorized access and control over an organization's entire environment, allowing attackers to manipulate resources and data across the organization.

Remediation

STACKIT has already applied a security patch to address this vulnerability. No action is required from users.

Added: Jun 8, 2026, 6:10 PM
Updated: Jun 8, 2026, 6:10 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
9.3
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.