Skip to content

CloudStack

v4.22.0.1 Security

This release patches 9 CVEs for security teams tracking exposure across their dependency inventory.

Published 26d Cloud Management
9 patched CVEs
Read the diff → Tool health → What is this tool? →
This release patches 9 known CVEs CVE-2017-12615 EPSS 94% CVE-2017-12617 EPSS 94% CVE-2020-1938 EPSS 94% + 6 more
9 CVEs patched

Topics

cloud cloudstack iaas infrastructure java kubernetes
+10 more
kvm libvirt orchestration python virtual-machine virtualization vmware vsphere xcp-ng xenserver

Summary

AI summary

CVE-2026-25077 fixes unauthenticated command injection in direct download templates.

Full changelog

This is a security release that fixes the following on top of the 4.22.0.1 release:

CVE-2025-66170 Any user can list backups that they should not have access to. (severity 'Low')
CVE-2025-66171 Any user can create a new VM from backups they should not have access to (severity 'Important')
CVE-2025-66172 Any user can attach a volume in their VMs from backups they should not have access to (severity 'Important')
CVE-2025-66467 MinIO policy remains intact on bucket deletion (severity 'Important')
CVE-2025-69233 Domain/account resources limits not honored (severity 'Moderate')
CVE-2026-25077 Unauthenticated Command Injection in Direct Download Templates (severity 'Important')
CVE-2026-25199 Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access(severity 'Moderate')

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.20.3.0-4.22.0.1/

Release notes: https://docs.cloudstack.apache.org/en/4.22.0.1/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.22.0.1/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.22.0.1/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.22.0.1/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.22

Security Fixes

  • CVE-2025-66170 — Low severity: any user can list backups they should not access.
  • CVE-2025-66171 — Important severity: any user can create a VM from unauthorized backups.
  • CVE-2025-66172 — Important severity: any user can attach volumes from unauthorized backups.
  • CVE-2025-66467 — Important severity: MinIO policy remains intact on bucket deletion.
  • CVE-2025-69233 — Moderate severity: domain/account resource limits not honored.
  • CVE-2026-25077 — Important severity: unauthenticated command injection in direct download templates.
  • CVE-2026-25199 — Moderate severity: Proxmox Extension allows unauthorized cross‑tenant instance access.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track CloudStack

Get notified when new releases ship.

Sign up free

About CloudStack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform

All releases →

Related context

Beta — feedback welcome: [email protected]