PT-2026-38916 · Apache · Cloudstack
Published
2026-05-08
·
Updated
2026-05-11
·
CVE-2025-66467
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache CloudStack versions prior to 4.20.3.0
Apache CloudStack versions prior to 4.22.0.1
Description
Missing MinIO policy cleanup during bucket deletion allows users to retain access to buckets they previously owned. If a different user creates a new bucket using the same name, the previous owners can obtain unauthorized read and write access to that bucket by utilizing previously generated access and secret keys.
Recommendations
Upgrade to version 4.20.3.0 or later.
Upgrade to version 4.22.0.1 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloudstack