CRITICAL
STACKIT
CVE published 2026-06-08
CVE-2026-39910
CVE-2026-39910 is a critical vulnerability in STACKIT IaaS API that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise. The vulnerability is caused by a missing authorization check in the API, which allows attackers to attach arbitrary service accounts to virtual machines they control. This can be done by exploiting the unvalidated PUT servers service-acc [truncated]