{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "4.21.0.0"
              },
              {
                "fixed": "4.22.0.0"
              }
            ],
            "source": "DESCRIPTION"
          },
          "events": [
            {
              "introduced": "f9513b47bf8cda46c2cee7e31d4d662346bc7399"
            },
            {
              "fixed": "71f47d61304d1a05627bc335c8d35d7ef1040fe1"
            }
          ],
          "repo": "https://github.com/apache/cloudstack",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "apache",
    "cwe_ids": [
      "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25199.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "4.21.0"
          },
          {
            "last_affected": "4.22.0"
          }
        ],
        "source": "AFFECTED_FIELD"
      },
      {
        "extracted_events": [
          {
            "introduced": "4.21.0.0"
          },
          {
            "fixed": "4.22.0.0"
          }
        ],
        "source": "DESCRIPTION"
      }
    ]
  },
  "details": "Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.\n\n\n\n\nThis issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.\n\n\n\n\nThe Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.\n\n\n\n\nUsers are recommended to upgrade to version 4.22.0.1, which fixes this issue.\n\n\n\n\nAs a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.",
  "id": "CVE-2026-25199",
  "modified": "2026-07-08T05:36:12.881111603Z",
  "published": "2026-05-08T12:22:56.226Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/09/7"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25199.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25199"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access"
}