Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66467

CVE-2025-66467: Apache CloudStack Auth Bypass Vulnerability

CVE-2025-66467 is an authentication bypass flaw in Apache CloudStack that allows unauthorized bucket access through retained MinIO policies. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-66467 Overview

CVE-2025-66467 is a high-severity authorization flaw in Apache CloudStack. The vulnerability stems from incomplete cleanup [CWE-459] of MinIO policies when buckets are deleted through CloudStack. Users retain valid access and secret keys tied to deleted bucket policies. When a different user later creates a bucket with the same name, previous owners can read and write to it using their old credentials.

The issue affects Apache CloudStack deployments that integrate with MinIO object storage. Apache has released fixes in CloudStack 4.20.3.0 and 4.22.0.1.

Critical Impact

Stale MinIO policies grant prior bucket owners unauthorized read and write access to newly created buckets sharing the same name, enabling cross-tenant data exposure and tampering.

Affected Products

  • Apache CloudStack versions prior to 4.20.3.0
  • Apache CloudStack versions prior to 4.22.0.1
  • Deployments using MinIO-backed object storage integration

Discovery Timeline

  • 2026-05-08 - CVE-2025-66467 published to NVD
  • 2026-05-11 - Last updated in NVD database

Technical Details for CVE-2025-66467

Vulnerability Analysis

Apache CloudStack provisions MinIO buckets and binds per-user access policies that authorize the bucket owner using generated access and secret keys. When the bucket is deleted via CloudStack, the associated MinIO policy is not removed. The credentials remain valid against the MinIO backend.

MinIO matches policies by bucket name. When a new bucket is created with the same name by another tenant or user, the orphaned policy continues to apply. The original key holder gains read and write access to the new bucket without re-authentication or authorization. This produces a cross-tenant boundary violation in shared CloudStack environments.

Root Cause

The root cause is incomplete resource cleanup [CWE-459]. CloudStack removes the bucket object but does not invoke the corresponding MinIO policy detachment or deletion. The access grant outlives the resource it was bound to, and namespace reuse on bucket names converts a stale grant into an active one.

Attack Vector

An authenticated CloudStack user creates a bucket, records the issued MinIO access and secret keys, and later deletes the bucket. When any other user provisions a new bucket using the same name, the original key holder issues S3-compatible API calls against MinIO using the retained credentials and performs reads or writes on the new bucket contents. Exploitation requires only low privileges and network access to the MinIO endpoint. See the Apache Mailing List Thread for advisory details.

Detection Methods for CVE-2025-66467

Indicators of Compromise

  • MinIO access logs showing S3 API requests against a bucket using access keys not associated with the current bucket owner.
  • Successful GetObject, PutObject, or ListBucket operations from CloudStack accounts that no longer hold the bucket in CloudStack metadata.
  • Persistent MinIO IAM policies referencing bucket names that no longer exist or have changed ownership in CloudStack.

Detection Strategies

  • Reconcile MinIO IAM policy inventory against CloudStack's current bucket ownership records and flag policies without a matching active bucket-owner pair.
  • Correlate CloudStack bucket deletion events with MinIO policy state, alerting when policies persist after deleteBucket operations.
  • Monitor for repeated authentication attempts on bucket names that have undergone deletion and recreation within a short time window.

Monitoring Recommendations

  • Enable MinIO audit logging and forward events to a centralized analytics platform for cross-referencing with CloudStack API logs.
  • Track access-key-to-bucket usage patterns and alert on credentials accessing buckets whose owners changed in CloudStack.
  • Review service account and access key issuance reports on a regular cadence to identify keys without active resource bindings.

How to Mitigate CVE-2025-66467

Immediate Actions Required

  • Upgrade Apache CloudStack to version 4.20.3.0 or 4.22.0.1 or later as published in the Apache Mailing List Thread.
  • Audit the MinIO IAM policy store and delete policies that reference buckets no longer present in CloudStack.
  • Rotate or revoke MinIO access and secret keys associated with previously deleted buckets.

Patch Information

Apache CloudStack 4.20.3.0 and 4.22.0.1 correct the bucket deletion workflow so that the corresponding MinIO policy is removed when the bucket is deleted. Refer to the OpenWall OSS Security Update and the Apache Mailing List Thread for upgrade guidance.

Workarounds

  • Manually delete the associated MinIO IAM policy and revoke the issued access and secret keys whenever a bucket is removed through CloudStack.
  • Block reuse of previously deleted bucket names by enforcing a naming policy or quarantine period at the CloudStack management layer.
  • Restrict MinIO endpoint network exposure to only the CloudStack management plane and approved client networks until patching is complete.
bash
# Configuration example: identify and remove orphaned MinIO policies
mc admin policy list ALIAS
mc admin policy info ALIAS POLICY_NAME
mc admin policy remove ALIAS POLICY_NAME
mc admin user svcacct rm ALIAS ACCESS_KEY

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.