CVE-2026-39910
published 2026-06-08CVE-2026-39910: STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.30%
21.8th percentile
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stackit | iaas_api | < 2026-05-28 | 2026-05-28 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
STACKIT IaaS API prior 2026-05-28 Instance Metadata Service authorization
vuldb·2026-06-08·CVSS 9.8
CVE-2026-39910 [CRITICAL] STACKIT IaaS API prior 2026-05-28 Instance Metadata Service authorization
A vulnerability classified as critical was found in STACKIT IaaS API. This affects an unknown function of the component Instance Metadata Service. Such manipulation leads to missing authorization.
This vulnerability is listed as CVE-2026-39910. The attack may be performed from remote. There is no available exploit.
This product is available as a managed service. Users are not able to maintain vulnerability countermeasures themselves. Upgrading the affected component is advised.
GHSA
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary
ghsa_unreviewed·2026-06-08
CVE-2026-39910 [CRITICAL] CWE-862 STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published