{"schema_version": "1.6.1", "id": "CVE-2026-25199", "summary": "Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access", "details": "Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.\n\n\n\n\nThis issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.\n\n\n\n\nThe Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.\n\n\n\n\nUsers are recommended to upgrade to version 4.22.0.1, which fixes this issue.\n\n\n\n\nAs a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "4.21.0"}, {"last_affected": "4.21.0"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm"}]}