The Apache CloudStack project announces the LTS release of 4.19.3.0 and
4.20.1.0 that includes fixes that address the following security issues:
- CVE-2025-26521 (severity 'Critical')
- CVE-2025-30675 (severity 'Low')
- CVE-2025-47713 (severity 'Critical')
- CVE-2025-47849 (severity 'Moderate')
- CVE-2025-22829 (severity 'Low')
# CVE-2025-26521: CKS cluster in Project Exposes User API Keys
When an Apache CloudStack user-account creates a CKS-based Kubernetes
cluster in a project,
the API key and the secret key of the 'kubeadmin' user of the caller
account are used to create the
secret config in the CKS-based Kubernetes cluster. A member of the project
who can access the
CKS-based Kubernetes cluster, can also access the API key and secret key of
the 'kubeadmin'
user of the CKS cluster's creator's account. An attacker who's a member of
the project can exploit
this to impersonate and perform privileged actions that can result in
complete compromise of the
confidentiality, integrity, and availability of resources owned by the
creator's account.
CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which
fixes this issue.
Updating Existing Kubernetes Clusters in Projects
A service account should be created for each project to provide limited
access specifically for Kubernetes cluster providers and autoscaling.
Follow the steps below to create a new service account, update the secret
inside the cluster, and regenerate existing API and service keys:
1. Create a New Service Account
Create a new account using the role "Project Kubernetes Service Role" with
the following details:
Account Name: kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID>
First Name: Kubernetes
Last Name: Service User
Account Type: 0 (Normal User)
Role ID: <ID_OF_SERVICE_ROLE>
2. Add the Service Account to the Project
Add this account to the project where the Kubernetes cluster(s) are hosted.
3. Generate API and Secret Keys
Generate API Key and Secret Key for the default user of this account.
4. Update the CloudStack Secret in the Kubernetes Cluster
Create a temporary file /tmp/cloud-config with the following data:
api-url = <API_URL> # For example: <MS_URL>/client/api
api-key = <SERVICE_USER_API_KEY>
secret-key = <SERVICE_USER_SECRET_KEY>
project-id = <PROJECT_ID>
Delete the existing secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system delete secret
cloudstack-secret
Create a new secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system create secret generic
cloudstack-secret --from-file=/tmp/cloud-config
Remove the temporary file:
rm /tmp/cloud-config
5. Regenerate API and Secret Keys
Regenerate the API and secret keys for the original user account that was
used to create the Kubernetes cluster.
# CVE-2025-30675: Unauthorised template/ISO list access to the
domain/resource admins
In Apache CloudStack, a flaw in access control affects the listTemplates
and listIsos APIs.
A malicious Domain Admin or Resource Admin can exploit this issue by
intentionally specifying
the 'domainid' parameter along with the 'filter=self' or
'filter=selfexecutable' values.
This allows the attacker to gain unauthorized visibility into templates and
ISOs under the ROOT domain.
A malicious admin can enumerate and extract metadata of templates and ISOs
that belong to unrelated
domains, violating isolation boundaries and potentially exposing sensitive
or internal configuration details.
This vulnerability has been fixed by ensuring the domain resolution
strictly adheres to the caller's scope
rather than defaulting to the ROOT domain.
Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or
4.20.1.0.
# CVE-2025-47713: Domain Admin can reset Admin password in Root Domain
A privilege escalation vulnerability exists in Apache CloudStack versions
4.10.0.0 through 4.20.0.0
where a malicious Domain Admin user in the ROOT domain can reset the
password of user-accounts
of Admin role type. This operation is not appropriately restricted and
allows the attacker to assume control
over higher-privileged user-accounts. A malicious Domain Admin attacker can
impersonate an Admin
user-account and gain access to sensitive APIs and resources that could
result in the compromise of
resource integrity and confidentiality, data loss, denial of service, and
availability of infrastructure
managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0,
which fixes the issue with the following:
Strict validation on Role Type hierarchy: the caller's user-account role
must be equal to or higher than the target user-account's role.
API privilege comparison: the caller must possess all privileges of the
user they are operating on.
Two new domain-level settings (restricted to the default Admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines
which role types are allowed to act on users of the same role type.
Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user
operations within the same account. Default: true.
# CVE-2025-47849: Insecure access of user's API/Secret Keys in the same
domain
A privilege escalation vulnerability exists in Apache CloudStack versions
4.10.0.0 through 4.20.0.0
where a malicious Domain Admin user in the ROOT domain can get the API key
and secret key of
user-accounts of Admin role type in the same domain. This operation is not
appropriately restricted
and allows the attacker to assume control over higher-privileged
user-accounts. A malicious Domain Admin attacker can impersonate an Admin
user-account and gain access to sensitive APIs and resources that could
result in the compromise of resource integrity and confidentiality, data
loss, denial of service, and availability of infrastructure managed by
CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0,
which fixes the issue with the following:
Strict validation on Role Type hierarchy: the caller's role must be equal
to or higher than the target user's role.
API privilege comparison: the caller must possess all privileges of the
user they are operating on.
Two new domain-level settings (restricted to the default admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines
which role types are allowed to act on users of the same role type.
Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user
operations within the same account. Default: true.
# CVE-2025-22829: Unauthorised access to dedicated resources in Quota plugin
The CloudStack Quota plugin has an improper privilege management logic in
version 4.20.0.0.
Anyone with authenticated user-account access in CloudStack 4.20.0.0
environments, where this plugin is
enabled and has access to specific APIs can enable or disable reception of
quota-related emails for any
account in the environment and list their configurations.
Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to
CloudStack version 4.20.1.0, which fixes this issue.
# Credits
The CVEs are credited to the following reporters:
## CVE-2025-26521:
- Wei Zhou (weiz...@apache.org)
## CVE-2025-30675:
- Bernardo <bernardomg2...@gmail.com>
## CVE-2025-47713:
- Scott Schmitz <sschm...@ussignal.com>
## CVE-2025-47849:
- Kevin <kl...@apple.com>
- Scott Schmitz <sschm...@ussignal.com>
## CVE-2025-22829:
- Fabricio Duarte <fabricio.duarte...@gmail.com>
# Affected versions
## CVE-2025-26521:
- Apache CloudStack 4.17.0.0 through 4.19.2.0
- Apache CloudStack 4.17.0.0 through 4.20.0.0
## CVE-2025-30675:
- Apache CloudStack 4.0.0 through 4.19.2.0
- Apache CloudStack 4.0.0 through 4.20.0.0
## CVE-2025-47713:
- Apache CloudStack 4.10.0.0 through 4.19.2.0
- Apache CloudStack 4.10.0.0 through 4.20.0.0
## CVE-2025-47849:
- Apache CloudStack 4.10.0.0 through 4.19.2.0
- Apache CloudStack 4.10.0.0 through 4.20.0.0
## CVE-2025-22829:
- Apache CloudStack 4.20.0.0
# Resolution
Users are recommended to upgrade to version 4.19.3.0, 4.20.1.0 or later,
which addresses these issues. Additionally, users on a version older than
4.20.0.0 are advised to skip 4.20.0.0 and upgrade to 4.20.1.0 instead.
# Downloads and Documentation
The official source code for the 4.19.3.0 and 4.20.1.0 releases can be
downloaded from the project downloads page:
https://cloudstack.apache.org/downloads
The 4.19.3.0 and 4.20.1.0 release notes can be found at:
- https://docs.cloudstack.apache.org/en/4.19.3.0/releasenotes/about.html
- https://docs.cloudstack.apache.org/en/4.20.1.0/releasenotes/about.html
In addition to the official source code release, individual contributors
have
also made release packages available on the Apache CloudStack download
page, and available at:
- https://download.cloudstack.org/el/7/
- https://download.cloudstack.org/el/8/
- https://download.cloudstack.org/el/9/
- https://download.cloudstack.org/suse/15/
- https://download.cloudstack.org/ubuntu/dists/
- https://www.shapeblue.com/cloudstack-packages/
