CVE-2026-25077 Apache CVE debrief

Who should care

CloudStack administrators and operators running KVM-based infrastructure should treat this as a priority, especially where regular account users can register or upload templates. Security teams should also review any environment that exposes CloudStack template workflows to less-trusted authenticated users.

Technical summary

The reported weakness is an input-sanitization problem in CloudStack's KVM template handling. NVD lists affected versions as Apache CloudStack 4.11.0.0 through before 4.20.3.0, and 4.21.0.0 through before 4.22.0.1. The vendor advisory maps the issue to CWE-94 and the CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, consistent with network-reachable, low-privilege authenticated abuse leading to code execution on KVM hosts.

Defensive priority

High. The combination of remote reachability, low privilege requirements, and potential host-level code execution makes this a significant risk for CloudStack-managed KVM environments.

Recommended defensive actions

• Upgrade Apache CloudStack to 4.20.3.0, 4.22.0.1, or later.
• Review whether non-administrative users can register or upload templates in production and restrict that capability where possible.
• Audit CloudStack template registration and download workflows for unexpected filenames or path traversal indicators.
• Check KVM hosts and CloudStack management components for signs of unauthorized template activity or unexpected execution.
• Prioritize exposure review for any multi-tenant or delegated CloudStack deployments where account users have template-creation rights.

Evidence notes

Timing and impact details are taken from the CVE record published 2026-05-08 and modified 2026-05-10. The NVD record cites Apache's security mailing list advisory and OSS-security mirror, identifies affected CloudStack version ranges, and lists CWE-94. The official remediation versions are stated in the vendor description: 4.20.3.0, 4.22.0.1, or later.

Official resources