Release history
CloudStack releases
Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
All releases
8 shown
4.22.0.1
Security relevant
patches CVE-2017-12615
patches CVE-2017-12617
patches CVE-2020-1938
+6 more
Security fixes
- CVE-2025-66170 — Low severity: any user can list backups they should not access.
- CVE-2025-66171 — Important severity: any user can create a VM from unauthorized backups.
- CVE-2025-66172 — Important severity: any user can attach volumes from unauthorized backups.
Full changelog
This is a security release that fixes the following on top of the 4.22.0.1 release:
CVE-2025-66170 Any user can list backups that they should not have access to. (severity 'Low')
CVE-2025-66171 Any user can create a new VM from backups they should not have access to (severity 'Important')
CVE-2025-66172 Any user can attach a volume in their VMs from backups they should not have access to (severity 'Important')
CVE-2025-66467 MinIO policy remains intact on bucket deletion (severity 'Important')
CVE-2025-69233 Domain/account resources limits not honored (severity 'Moderate')
CVE-2026-25077 Unauthenticated Command Injection in Direct Download Templates (severity 'Important')
CVE-2026-25199 Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access(severity 'Moderate')
Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.20.3.0-4.22.0.1/
Release notes: https://docs.cloudstack.apache.org/en/4.22.0.1/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.22.0.1/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.22.0.1/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.22.0.1/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.22
4.20.3.0
Maintenance
Apache CloudStack 4.20 maintenance release Release notes: https://docs.cloudstack.apache.org/en/4.20.3.0/releasenotes Installation docs: https://docs.cloudstack.apache.org/en/4.20.3.0/installguide Upgrade docs: https://docs.cloudstack.apache.org/en/4.20.3.0/upgrading Admin docs:
Full changelog
Apache CloudStack 4.20 maintenance release
Release notes: https://docs.cloudstack.apache.org/en/4.20.3.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.20.3.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.20.3.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.20.3.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.20
4.22.0.0
Maintenance
Apache CloudStack 4.22.0.0 LTS release Release notes: https://docs.cloudstack.apache.org/en/4.22.0.0/releasenotes Installation docs: https://docs.cloudstack.apache.org/en/4.22.0.0/installguide Upgrade docs: https://docs.cloudstack.apache.org/en/4.22.0.0/upgrading Admin docs: htt
4.20.2.0
Maintenance
Apache CloudStack 4.20 maintenance release Release notes: https://docs.cloudstack.apache.org/en/4.20.2.0/releasenotes Installation docs: https://docs.cloudstack.apache.org/en/4.20.2.0/installguide Upgrade docs: https://docs.cloudstack.apache.org/en/4.20.2.0/upgrading Admin docs:
4.21.0.0
Maintenance
Apache CloudStack Regular Release 4.21.0.0 Release notes: https://docs.cloudstack.apache.org/en/4.21.0.0/releasenotes Installation docs: https://docs.cloudstack.apache.org/en/4.21.0.0/installguide Upgrade docs: https://docs.cloudstack.apache.org/en/4.21.0.0/upgrading Admin docs:
4.20.1.0
Security relevant
Security fixes
- CVE-2025-26521: CKS cluster exposes user API keys
- CVE-2025-30675: Unauthorized template/ISO list access to domain/resource admins
- CVE-2025-47713: Domain Admin password reset in Root Domain
4.19.3.0
Security relevant
Security fixes
- CVE-2025-26521: CKS cluster exposes user API keys
- CVE-2025-30675: Unauthorized template/ISO list access to domain/resource admins
- CVE-2025-47713: Domain Admin password reset in Root Domain