What is CVE-2025-66467?

CVE-2025-66467 is a high-severity vulnerability in Apache Cloudstack, classified under Incomplete Cleanup. CVSS score: 8.0/10. Published 2026-05-08.

How severe is CVE-2025-66467?

High severity. CVSS v3 base score is 8.0 out of 10.

Vulnerability in Apache Cloudstack

CVE-2025-66467

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized…

EPSS: 0.000 (1.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.

Affected products

Apache Cloudstack
Apache Software Foundation Cloudstack — versions 4.19.0.0, 4.21.0.0

Weakness classification (CWE)

CWE-459 — Incomplete Cleanup

References

security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108 (Mailing List, Third Party Advisory)

Frequently asked questions

What is CVE-2025-66467?: CVE-2025-66467 is a high-severity vulnerability in Apache Cloudstack, classified under Incomplete Cleanup. CVSS score: 8.0/10. Published 2026-05-08.
How severe is CVE-2025-66467?: High severity. CVSS v3 base score is 8.0 out of 10.