Sander Grendelman

**Name of the Vulnerable Software and Affected Versions** Apache CloudStack versions 4.21.0.0 through 4.22.0.0 **Description** Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. The Proxmox extension improperly uses a user-editable instance setting, `proxmox vmid`, to associate instances with Proxmox virtual machines. Since this value is not validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This enables unauthorized cross-tenant access and full control over the targeted VM, including the ability to start, stop, and destroy it. **Recommendations** Upgrade to version 4.22.0.1. Prevent users from editing the `proxmox vmid` instance detail by adding this detail name to the global configuration parameter `user.vm.denied.details`.