Apache CloudStack <=4.20.2 Bucket Deletion Leak MinIO Access Keys
CVE-2025-66467 Published on May 8, 2026
Apache CloudStack: MinIO policy remains intact on bucket deletion
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys.
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Vulnerability Analysis
CVE-2025-66467 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an Insufficient Cleanup Vulnerability?
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
CVE-2025-66467 has been classified to as an Insufficient Cleanup vulnerability or weakness.
Products Associated with CVE-2025-66467
Want to know whenever a new CVE is published for Apache CloudStack? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache CloudStack:- Version 4.19.0.0, <= 4.20.2.0 is affected.
- Version 4.21.0.0, <= 4.22.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.