CVE-2025-66467
Last modified
CVE-2025-66467 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cloudstack | >= 4.19.0.0, < 4.20.3.0 |
| Apache | Cloudstack | >= 4.21.0.0, < 4.22.0.1 |
References
- https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xmMailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/05/09/4Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-66467?
How severe is CVE-2025-66467?
How do I fix CVE-2025-66467?
Are you affected by CVE-2025-66467?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST