CVE-2026-39910

Vulnerability

STACKIT IaaS API contains a missing authorization check vulnerability in the PUT /servers/{server_id}/service-accounts endpoint. This vulnerability affects all versions of the STACKIT IaaS API prior to a fix being released. The endpoint allows for the attachment of service accounts to virtual machines [2].

Exploitation

An authenticated, low-privileged attacker can exploit this vulnerability by sending an unvalidated PUT request to the /servers/{server_id}/service-accounts endpoint. This allows the attacker to attach arbitrary, potentially high-privileged, service accounts to virtual machines they control. Subsequently, the attacker can query the Instance Metadata Service to retrieve OAuth2 tokens, which bypasses tenant boundaries [2].

Impact

Successful exploitation allows an attacker to escalate privileges to gain full organization compromise. By obtaining OAuth2 tokens, the attacker can bypass tenant boundaries and gain unauthorized control over the entire organization environment [2].

Mitigation

A fix for this vulnerability has been released. Users should update to a patched version of the STACKIT IaaS API. No workarounds are disclosed in the available references [1, 2].