CVE-2026-25199 Overview
CVE-2026-25199 is a cross-tenant access vulnerability in Apache CloudStack affecting deployments that use the Proxmox extension. The flaw stems from improper validation of the proxmox_vmid instance setting, which CloudStack uses to associate instances with Proxmox virtual machines. Because the value is user-editable and Proxmox VM IDs are predictable, a non-privileged attacker can reassign the setting to a VM owned by another tenant. The issue affects Apache CloudStack versions 4.21.0.0 through 4.22.0.0 and is fixed in 4.22.0.1. The vulnerability falls under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Authenticated low-privilege users can take full control of virtual machines belonging to other tenants, including starting, stopping, and destroying them.
Affected Products
- Apache CloudStack 4.21.0.0
- Apache CloudStack versions through 4.22.0.0
- Deployments using the Proxmox extension for hypervisor integration
Discovery Timeline
- 2026-05-08 - CVE-2026-25199 published to NVD
- 2026-05-09 - Last updated in NVD database
Technical Details for CVE-2026-25199
Vulnerability Analysis
Apache CloudStack is an open-source Infrastructure-as-a-Service (IaaS) platform that orchestrates compute, network, and storage resources across multiple hypervisors. The Proxmox extension allows CloudStack to manage virtual machines running on Proxmox Virtual Environment (VE) hosts. CloudStack tracks the mapping between its own instance objects and the underlying Proxmox VMs using an instance detail named proxmox_vmid.
The vulnerability arises because proxmox_vmid is exposed as a user-editable instance setting. CloudStack does not validate that the referenced Proxmox VM ID belongs to the authenticated tenant. When a user updates this value, subsequent CloudStack API calls operate on whichever Proxmox VM matches the supplied identifier. This allows lifecycle operations such as start, stop, reboot, and destroy to be executed against another tenant's workload.
Root Cause
The root cause is missing tenant ownership validation on a security-sensitive instance detail. Proxmox VM IDs are sequential integers, which makes enumeration trivial. The Proxmox extension trusts the client-supplied proxmox_vmid value without cross-referencing the requesting account against the actual owner of the target VM in the Proxmox cluster.
Attack Vector
An authenticated CloudStack user with permission to manage their own instances modifies the proxmox_vmid detail on an instance they own. They set the value to a predictable VM ID belonging to another account. Any subsequent operation issued through CloudStack against their instance is dispatched to the victim's Proxmox VM. No user interaction from the victim is required, and the attack is performed entirely over the network through the standard CloudStack API.
No verified proof-of-concept code is currently public. See the Apache Mailing List Thread for the upstream advisory.
Detection Methods for CVE-2026-25199
Indicators of Compromise
- CloudStack API audit log entries showing updateVMDetail or equivalent calls that modify the proxmox_vmid key on user instances.
- Lifecycle operations (start, stop, destroy) issued by one account that correlate with state changes on Proxmox VMs owned by a different account.
- Unexpected VM state transitions in Proxmox logs that do not correspond to actions initiated by the legitimate owner.
Detection Strategies
- Review CloudStack audit logs for any modification of the proxmox_vmid instance detail and alert on changes performed by non-administrative accounts.
- Correlate CloudStack instance-to-VM mappings against the Proxmox cluster inventory and flag mismatches where the CloudStack tenant owner differs from the historical Proxmox VM owner.
- Monitor for repeated failed or successful API calls that iterate through sequential proxmox_vmid values, indicating enumeration.
Monitoring Recommendations
- Forward CloudStack management server logs and Proxmox host logs to a centralized analytics platform for cross-correlation.
- Establish a baseline of expected instance-detail modifications and alert on deviations, particularly for keys related to hypervisor identifiers.
- Track cross-account causality: VM state changes in Proxmox triggered by API sessions belonging to a different CloudStack account should generate a high-severity alert.
How to Mitigate CVE-2026-25199
Immediate Actions Required
- Upgrade Apache CloudStack to version 4.22.0.1, which fixes the validation logic for the proxmox_vmid instance detail.
- Audit all existing instance details across tenants for unexpected proxmox_vmid values and reconcile mappings against the Proxmox inventory.
- Review API audit logs for prior modifications of proxmox_vmid by non-administrative users to identify potential compromise.
Patch Information
Apache has released Apache CloudStack 4.22.0.1 as the fixed version. The patch is announced in the Apache Mailing List Thread and the Openwall OSS Security Update. Operators using the Proxmox extension should upgrade as a priority.
Workarounds
- For installations where an immediate upgrade is not feasible, add proxmox_vmid to the global configuration parameter user.vm.denied.details to prevent users from editing this instance detail.
- Restrict access to the CloudStack API to trusted administrative networks until patching is complete.
- Temporarily disable the Proxmox extension if it is not in active production use.
# Configuration example: deny user edits of proxmox_vmid via CloudStack global settings
# Update the global configuration parameter user.vm.denied.details to include proxmox_vmid
cloudmonkey update configuration name=user.vm.denied.details value=proxmox_vmid
# Restart the CloudStack management server to apply the change
systemctl restart cloudstack-management
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
