Unrated severityNVD Advisory· Published Nov 27, 2025· Updated Nov 28, 2025

Apache CloudStack: Lack of user permission validation leading to data leak for few APIs

CVE-2025-59454

Description

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory

While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.

Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.

Affected products

Apache/Cloudstackllm-fuzzy
Range: <4.20.2.0, <4.22.0.0
Apache Software Foundation/Apache CloudStackv5
Range: 4.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbcmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000