CVE-2025-26521: Apache CloudStack User Account Vulnerability in Kubernetes Cluster Creation

Overview

The CVE-2025-26521 is a significant vulnerability that impacts Apache CloudStack user accounts when they create a CloudStack Kubernetes Service (CKS) based Kubernetes cluster within a project. This vulnerability arises from the misuse of the ‘kubeadmin’ user’s API key and secret key during the creation of the secret config in the CKS-based Kubernetes cluster. The vulnerability is of significant concern as it can potentially lead to system compromise or data leakage if exploited by an attacker who is a member of the same project.

Vulnerability Summary

CVE ID: CVE-2025-26521
Severity: High (8.1)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: Full system compromise, data leakage

Affected Products

Product | Affected Versions

Apache CloudStack | Versions prior to 4.19.3.0 and 4.20.1.0

How the Exploit Works

The exploit takes advantage of the fact that the API key and secret key of the ‘kubeadmin’ user of the caller account are used during the creation of the secret config in the CKS-based Kubernetes cluster. An attacker who has access to the project can exploit this vulnerability to impersonate the ‘kubeadmin’ user, thereby leading to potential system compromise or data leakage.

Conceptual Example Code

Given the nature of this vulnerability, there is no direct exploitation code. However, an attacker who has access to the project could potentially retrieve the ‘kubeadmin’ user’s API key and secret key through the CKS-based Kubernetes cluster.
For example, using `kubectl` to access secrets:

kubectl -n kube-system get secret cloudstack-secret -o jsonpath='{.data}'

This would output the encoded secret containing the ‘kubeadmin’ user’s API key and secret key, which could then be decoded and used to impersonate the ‘kubeadmin’ user and perform privileged actions.