PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-66170 Lists CVE debrief

CVE-2025-66170 describes an improper authorization logic issue in the CloudStack Backup plugin. In affected versions 4.21.0.0 and 4.22.0.0, an authenticated user-account with access to specific APIs may be able to list backups belonging to other accounts in the same environment. The advisory notes that backup contents are not exposed, but backup metadata and account association can still leak across tenants. The recommended fix is to upgrade to 4.22.0.1.

Vendor
Lists
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-09
Advisory published
2026-05-08
Advisory updated
2026-05-09

Who should care

CloudStack administrators, security teams, and platform owners should pay attention if the Backup plugin is enabled and authenticated user accounts can access the related APIs. Multi-tenant environments are the highest concern because the issue allows cross-account backup listing.

Technical summary

The issue is an authorization failure rather than a content disclosure bug. According to the advisory, the Backup plugin’s logic does not correctly restrict backup-listing actions to the caller’s own account. The NVD record cites CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and CWE-863 (Incorrect Authorization). The source material indicates affected versions 4.21.0.0 and 4.22.0.0, with remediation in 4.22.0.1.

Defensive priority

Medium. The flaw requires authenticated access and does not reveal backup contents, but it can expose backup inventory across accounts in a multi-tenant service, which may create privacy and operational risk.

Recommended defensive actions

  • Upgrade CloudStack to version 4.22.0.1 or later as recommended in the advisory.
  • Confirm whether the Backup plugin is enabled in your environment and disable it if it is not required.
  • Review API access granted to authenticated user accounts, especially any endpoints related to backup listing.
  • Audit for unexpected cross-account backup enumeration in logs and administrative telemetry.
  • Treat exposed backup metadata as sensitive and assess whether any tenant-isolation controls need additional review.

Evidence notes

Source material states that the CloudStack Backup plugin has improper authorization logic in versions 4.21.0.0 and 4.22.0.0, and that authenticated user-account access with specific API access can list backups from any account without exposing backup contents. The NVD metadata lists CWE-863 and CVSS v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The record was published on 2026-05-08 and modified on 2026-05-09. References include an Apache security mailing list thread and an OSS Security mirror.

Official resources

Public advisory surfaced through the NVD and linked Apache security mailing list references on 2026-05-08, with a modified NVD record on 2026-05-09. The advisory recommends upgrading to 4.22.0.1.