Marc-Aurèle Brothier

**Name of the Vulnerable Software and Affected Versions** Apache CloudStack versions 4.1 through 4.8.1.0 Apache CloudStack version 4.9.0.0 **Description** The issue allows a malicious user to reset the API keys for another non-root CloudStack user if the malicious user can determine the ID of that user. This could lead to unauthorized access to the user's account and resources. **Recommendations** For Apache CloudStack versions 4.1 through 4.8.1.0, consider restricting access to the API call that allows registration for the developer API until a fix is available. For Apache CloudStack version 4.9.0.0, consider restricting access to the API call that allows registration for the developer API until a fix is available. As a temporary workaround, consider implementing additional authentication or authorization checks to prevent unauthorized API key resets.