CVE-2026-25199

Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.<br /> <br /> <br /> <br /> <br /> This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.<br /> <br /> <br /> <br /> <br /> The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.<br /> <br /> <br /> <br /> <br /> Users are recommended to upgrade to version 4.22.0.1, which fixes this issue.<br /> <br /> <br /> <br /> <br /> As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.