PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-66467 Apache CVE debrief

CVE-2025-66467 is a high-severity Apache CloudStack issue where MinIO policy cleanup does not occur when a bucket is deleted. If another user later creates a bucket with the same name, the prior owner can keep using previously issued access and secret keys to reach the new bucket with unauthorized read and write access. Apache recommends upgrading to 4.20.3.0 or 4.22.0.1, or later.

Vendor
Apache
Product
CVE-2025-66467
CVSS
HIGH 8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

CloudStack administrators and operators, especially teams running MinIO-backed object storage buckets where bucket deletion and name reuse are possible. Security teams should also care if CloudStack is exposed to users who can create and delete buckets.

Technical summary

The supplied CVE description says bucket deletion in Apache CloudStack can leave MinIO policy state behind. That incomplete cleanup lets a former bucket owner retain effective permissions tied to the deleted bucket name. If a different user later re-creates a bucket with the same name, the prior owner may be able to use the old access and secret keys to read from and write to the new bucket. NVD classifies the issue as CWE-459 and assigns CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, indicating network reachability, low privileges, user interaction, changed scope, and high impact.

Defensive priority

High. Prioritize patching CloudStack instances that expose bucket lifecycle operations to users, especially where MinIO-backed storage and bucket name reuse are part of normal operations. Remediation is available in 4.20.3.0, 4.22.0.1, and later.

Recommended defensive actions

  • Upgrade Apache CloudStack to 4.20.3.0, 4.22.0.1, or a later fixed release.
  • Review any deployments using MinIO-backed buckets for workflows that delete and recreate bucket names.
  • Audit access patterns for stale credentials that may still succeed after bucket deletion.
  • If immediate upgrading is not possible, restrict who can create/delete buckets and monitor for reused bucket names.
  • Validate that bucket-deletion automation also removes any related policy or access control state.
  • Check whether any buckets were deleted and later recreated under the same name, then review access logs for unauthorized use.

Evidence notes

All material facts here are taken from the supplied CVE description, NVD metadata, and the referenced Apache advisory. The supplied record shows publication on 2026-05-08 and modification on 2026-05-11. NVD lists vulnerable CloudStack ranges beginning at 4.19.0.0 and 4.21.0.0, ending before 4.20.3.0 and 4.22.0.1 respectively, along with CWE-459 and CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.

Official resources

Published 2026-05-08 and modified 2026-05-11 in the supplied record. The issue is not marked as KEV in the supplied enrichment data.