CVE-2025-26521

CWE-200Information Exposure3 documents3 sources
Severity
8.1HIGH
EPSS
0.2%
top 52.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CloudstackApache Cloudstack
Timeline
PublishedJun 10
Latest updateJun 11

Description

When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDapache/cloudstack4.17.0.04.19.3.0+1
CVEListV5apache_software_foundation/apache_cloudstack4.17.0.04.19.3.0+1

🔴Vulnerability Details

2
GHSA
GHSA-r5jq-h47c-74h3: When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of2025-06-11
CVEList
Apache CloudStack: CKS cluster in project exposes user API keys2025-06-10
CVE-2025-26521 (HIGH CVSS 8.1) | When an Apache CloudStack user-acco | cvebase.io