Stackit · Stackit Iaas Api · CVE-2026-39910
**Name of the Vulnerable Software and Affected Versions**
STACKIT IaaS API (affected versions not specified)
**Description**
A missing authorization check allows authenticated, low-privileged attackers to escalate privileges to full organization compromise. By exploiting the unvalidated 'PUT servers service-accounts' endpoint, attackers can attach high-privileged service accounts to virtual machines under their control. This enables them to query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.