Canonical Cloud Init
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Canonical Cloud Init.
By the Year
In 2026 there have been 0 vulnerabilities in Canonical Cloud Init. Last year, in 2025 Cloud Init had 1 security vulnerability published. Right now, Cloud Init is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 3 | 5.50 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 0.00 |
It may take a day or so for new Cloud Init vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Canonical Cloud Init Security Vulnerabilities
cloud-init 25.1.2 socket mode 0666 allows unprivileged hotplug command exec
CVE-2024-11584
- June 26, 2025
cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.
Cloud-init Sensitive Data in Logs Before 23.1.2
CVE-2023-1786
5.5 - Medium
- April 26, 2023
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
Insertion of Sensitive Information into Log File
cloud-init <=22.2 Sensitive Data Leak via World-readable Logs
CVE-2022-2084
5.5 - Medium
- April 19, 2023
Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
Insertion of Sensitive Information into Log File
cloud-init <21.2: Password logged in cloud-init-output.log, local takeover
CVE-2021-3429
5.5 - Medium
- April 19, 2023
When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.
Insertion of Sensitive Information into Log File
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords
CVE-2020-8631
- February 05, 2020
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value
CVE-2020-8632
- February 05, 2020
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.
The default cloud-init configuration
CVE-2018-10896
- August 01, 2018
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
Use of Hard-coded Cryptographic Key
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Canonical Cloud Init or by Canonical? Click the Watch button to subscribe.
