VIR Vulnerability Intelligence Relay

CVE-2025-66467

high
Published 2026-05-08 · Modified 2026-05-11
CVSS v3
8.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS v2
VIR risk
8.1

Description

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Predictions

Exploit likelihood
88%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Application impact
VendorProductVersionsFixed
apache apachecloudstack{"startIncluding":"4.19.0.0","endExcluding":"4.20.3.0"}4.20.3.0

References

CWEs

CWE-459

Verify integrity in audit chain (admin only). AS-IS.