CVE-2025-66467 Overview
CVE-2025-66467 is a high-severity authorization flaw in Apache CloudStack. The vulnerability stems from incomplete cleanup [CWE-459] of MinIO policies when buckets are deleted through CloudStack. Users retain valid access and secret keys tied to deleted bucket policies. When a different user later creates a bucket with the same name, previous owners can read and write to it using their old credentials.
The issue affects Apache CloudStack deployments that integrate with MinIO object storage. Apache has released fixes in CloudStack 4.20.3.0 and 4.22.0.1.
Critical Impact
Stale MinIO policies grant prior bucket owners unauthorized read and write access to newly created buckets sharing the same name, enabling cross-tenant data exposure and tampering.
Affected Products
- Apache CloudStack versions prior to 4.20.3.0
- Apache CloudStack versions prior to 4.22.0.1
- Deployments using MinIO-backed object storage integration
Discovery Timeline
- 2026-05-08 - CVE-2025-66467 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2025-66467
Vulnerability Analysis
Apache CloudStack provisions MinIO buckets and binds per-user access policies that authorize the bucket owner using generated access and secret keys. When the bucket is deleted via CloudStack, the associated MinIO policy is not removed. The credentials remain valid against the MinIO backend.
MinIO matches policies by bucket name. When a new bucket is created with the same name by another tenant or user, the orphaned policy continues to apply. The original key holder gains read and write access to the new bucket without re-authentication or authorization. This produces a cross-tenant boundary violation in shared CloudStack environments.
Root Cause
The root cause is incomplete resource cleanup [CWE-459]. CloudStack removes the bucket object but does not invoke the corresponding MinIO policy detachment or deletion. The access grant outlives the resource it was bound to, and namespace reuse on bucket names converts a stale grant into an active one.
Attack Vector
An authenticated CloudStack user creates a bucket, records the issued MinIO access and secret keys, and later deletes the bucket. When any other user provisions a new bucket using the same name, the original key holder issues S3-compatible API calls against MinIO using the retained credentials and performs reads or writes on the new bucket contents. Exploitation requires only low privileges and network access to the MinIO endpoint. See the Apache Mailing List Thread for advisory details.
Detection Methods for CVE-2025-66467
Indicators of Compromise
- MinIO access logs showing S3 API requests against a bucket using access keys not associated with the current bucket owner.
- Successful GetObject, PutObject, or ListBucket operations from CloudStack accounts that no longer hold the bucket in CloudStack metadata.
- Persistent MinIO IAM policies referencing bucket names that no longer exist or have changed ownership in CloudStack.
Detection Strategies
- Reconcile MinIO IAM policy inventory against CloudStack's current bucket ownership records and flag policies without a matching active bucket-owner pair.
- Correlate CloudStack bucket deletion events with MinIO policy state, alerting when policies persist after deleteBucket operations.
- Monitor for repeated authentication attempts on bucket names that have undergone deletion and recreation within a short time window.
Monitoring Recommendations
- Enable MinIO audit logging and forward events to a centralized analytics platform for cross-referencing with CloudStack API logs.
- Track access-key-to-bucket usage patterns and alert on credentials accessing buckets whose owners changed in CloudStack.
- Review service account and access key issuance reports on a regular cadence to identify keys without active resource bindings.
How to Mitigate CVE-2025-66467
Immediate Actions Required
- Upgrade Apache CloudStack to version 4.20.3.0 or 4.22.0.1 or later as published in the Apache Mailing List Thread.
- Audit the MinIO IAM policy store and delete policies that reference buckets no longer present in CloudStack.
- Rotate or revoke MinIO access and secret keys associated with previously deleted buckets.
Patch Information
Apache CloudStack 4.20.3.0 and 4.22.0.1 correct the bucket deletion workflow so that the corresponding MinIO policy is removed when the bucket is deleted. Refer to the OpenWall OSS Security Update and the Apache Mailing List Thread for upgrade guidance.
Workarounds
- Manually delete the associated MinIO IAM policy and revoke the issued access and secret keys whenever a bucket is removed through CloudStack.
- Block reuse of previously deleted bucket names by enforcing a naming policy or quarantine period at the CloudStack management layer.
- Restrict MinIO endpoint network exposure to only the CloudStack management plane and approved client networks until patching is complete.
# Configuration example: identify and remove orphaned MinIO policies
mc admin policy list ALIAS
mc admin policy info ALIAS POLICY_NAME
mc admin policy remove ALIAS POLICY_NAME
mc admin user svcacct rm ALIAS ACCESS_KEY
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
