The Apache CloudStack project has just announced the LTS release of Apache CloudStack 4.19.3.0 and Apache CloudStack 4.20.1.0. Both releases address a  few security issues, which were successfully resolved by the community.

– CVE-2025-26521 (severity ‘Critical’)

– CVE-2025-30675 (severity ‘Low’)

– CVE-2025-47713 (severity ‘Critical’)

– CVE-2025-47849 (severity ‘Moderate’)

– CVE-2025-22829 (severity ‘Low’)

 

The Apache CloudStack project has also announced an advisory against the above-mentioned security issues.

 

Affected versions:

CVE-2025-26521: 

– Apache CloudStack 4.17.0.0 through 4.19.2.0

– Apache CloudStack 4.17.0.0 through 4.20.1.0

 

CVE-2025-30675: 

– Apache CloudStack 4.0.0 through 4.19.2.0

– Apache CloudStack 4.0.0 through 4.20.0.0

 

CVE-2025-47713: 

– Apache CloudStack 4.10.0.0 through 4.19.2.0

– Apache CloudStack 4.10.0.0 through 4.20.0.0

 

CVE-2025-47849: 

– Apache CloudStack 4.10.0.0 through 4.19.2.0

– Apache CloudStack 4.10.0.0 through 4.20.0.0

 

CVE-2025-22829: 

– Apache CloudStack 4.20.0.0

 

 

CVE-2025-26521: CKS cluster in project exposes user API keys

When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the ‘kubeadmin’ user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the ‘kubeadmin’ user of the CKS cluster’s creator’s account. An attacker who’s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator’s account.

CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.

Read the full security advisory here: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

 

CVE-2025-30675: Unauthorised template/ISO list access to the domain/resource admins

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the ‘domainid’ parameter along with the ‘filter=self’ or ‘filter=selfexecutable’ values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.

A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details. This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller’s scope rather than defaulting to the ROOT domain.

Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Read the full security advisory here: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

 

CVE-2025-47713: Domain Admin can reset Admin password in Root Domain

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.

Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Read the full security advisory here: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

 

CVE-2025-47849: Insecure access of user’s API/Secret Keys in the same domain

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.

Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Read the full security advisory here: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

 

CVE-2025-22829: Unauthorised access to dedicated resources in Quota plugin

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

Read the full security advisory here: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

 

 

Resolution

The Apache CloudStack community has released security releases 4.19.3.0 and 4.20.1.0 to address the CVEs listed above. Users are recommended to upgrade to version 4.19.3.0, 4.20.1.0 or later, which addresses these issues.

Please, refer to https://www.shapeblue.com/cloudstack-packages/ for usage of ShapeBlue-provided 4.19-based and 4.20-based security and LTS releases. To apply these patches, use the ShapeBlue CloudStack 4.19 or 4.20 repositories to upgrade packages on the management server hosts and the KVM hosts.

 

The 4.19.3.0 and 4.20.1.0 release notes can be found at:

– https://docs.cloudstack.apache.org/en/4.19.3.0/releasenotes/about.html

– https://docs.cloudstack.apache.org/en/4.20.1.0/releasenotes/about.html