CVE-2026-25199

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions 4.21.0.0 through 4.22.0.0

Description Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. The Proxmox extension improperly uses a user-editable instance setting, proxmox vmid, to associate instances with Proxmox virtual machines. Since this value is not validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This enables unauthorized cross-tenant access and full control over the targeted VM, including the ability to start, stop, and destroy it.

Recommendations Upgrade to version 4.22.0.1. Prevent users from editing the proxmox vmid instance detail by adding this detail name to the global configuration parameter user.vm.denied.details.