PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25199 Apache CVE debrief

CVE-2026-25199 is a critical Apache CloudStack flaw in the Proxmox extension that can let a non-privileged tenant user gain unauthorized access to another tenants instance. The issue stems from use of a user-editable instance detail, proxmox_vmid, to bind CloudStack instances to Proxmox virtual machines. Because that value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, an attacker can change the setting to point at a VM they do not own. The result is cross-tenant access with control actions against the targeted VM, including start, stop, and destroy. Apache states that versions 4.21.0.0 through 4.22.0.0 are affected and that 4.22.0.1 fixes the issue. A documented workaround is to prevent users from editing proxmox_vmid through the user.vm.denied.details global configuration parameter.

Vendor
Apache
Product
CVE-2026-25199
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-09
Advisory published
2026-05-08
Advisory updated
2026-05-09

Who should care

CloudStack administrators, platform engineers, and security teams operating Apache CloudStack deployments that use the Proxmox extension should treat this as urgent. It is especially important for multi-tenant environments where tenant isolation depends on CloudStack correctly binding instances to the right Proxmox VM.

Technical summary

The vulnerability is caused by trusting a user-editable instance detail, proxmox_vmid, as the authoritative link between a CloudStack instance and its backing Proxmox VM. The field is not sufficiently restricted or validated against tenant ownership. Since Proxmox VM IDs are predictable, a tenant user can alter the setting to reference another tenants VM. NVD lists the issue as network-reachable, low-complexity, unauthenticated, and with high confidentiality and integrity impact, while availability is not rated in the CVSS vector supplied. The vendor advisory identifies CWE-200 and provides a fixed release plus a configuration-based mitigation.

Defensive priority

Immediate. This is a critical cross-tenant authorization flaw with direct potential for unauthorized VM control and data exposure. Priority should be high for any CloudStack deployment using the Proxmox extension, particularly shared environments.

Recommended defensive actions

  • Upgrade Apache CloudStack to 4.22.0.1 or later as soon as possible.
  • Apply the documented workaround on existing installations by adding proxmox_vmid to the user.vm.denied.details global configuration parameter so users cannot edit it.
  • Review CloudStack tenant and instance management workflows for any other user-editable details that influence host or VM binding.
  • Validate that the Proxmox extension is only exposed to trusted administrators where possible until patching is complete.
  • After remediation, verify that affected instances are correctly mapped and that no unauthorized cross-tenant VM changes occurred.

Evidence notes

The CVE description states that the Proxmox extension for CloudStack uses the user-editable proxmox_vmid detail to associate instances with Proxmox VMs and that this can be altered to reference another tenants VM. It also states that the affected range is 4.21.0.0 through 4.22.0.0 and that 4.22.0.1 fixes the issue, with a workaround via user.vm.denied.details. NVD supplies the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N and lists the advisory and oss-security references. The vendor advisory reference is the Apache mailing list post linked from the CVE record.

Official resources

Publicly disclosed by Apache security advisory referenced on 2026-05-08, with the CVE published the same day and modified on 2026-05-09. Use the CVE published date, not report generation time, as the issue date.