CVE-2025-66467: MinIO Policy Cleanup Flaw in Apache CloudStack Grants Unauthorized Access

/HIGH /CVSS 8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-459
CVE-2025-66467: MinIO Policy Cleanup Flaw in Apache CloudStack Grants Unauthorized Access

A critical vulnerability, CVE-2025-66467, has been identified in Apache CloudStack, stemming from a missing MinIO policy cleanup mechanism. The National Vulnerability Database reports that this flaw allows users to retain access policies to MinIO buckets even after those buckets have been deleted. This isn’t just a lingering entry; it’s a live access key.

The real danger emerges when another user re-creates a bucket with the same name. The previous owner, still holding the old access and secret keys, can then gain unauthorized read and write access to the newly created, identically named bucket. This bypasses intended access controls entirely, creating a significant data integrity and confidentiality risk. The National Vulnerability Database assigns this a CVSS score of 8 (HIGH).

Defenders leveraging Apache CloudStack with MinIO integration need to prioritize this. This isn’t theoretical; it’s a direct path for privilege escalation and data manipulation. The National Vulnerability Database recommends upgrading to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, to remediate this issue. Patching is non-negotiable here.

What This Means For You

  • If your organization uses Apache CloudStack with MinIO, you are exposed. Check your CloudStack versions immediately. Patch to 4.20.3.0 or 4.22.0.1 or later. Beyond patching, audit your MinIO bucket deletion procedures and review access logs for any anomalous activity on re-created buckets. This CVE-2025-66467 exploit is a silent, persistent threat if not addressed.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1078.004 Cloud Accounts Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2025-66467: MinIO Bucket Access via Reused Credentials

Sigma YAML — free preview 
title: CVE-2025-66467: MinIO Bucket Access via Reused Credentials
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects attempts to access MinIO buckets using access and secret keys in the URI query parameters. This is indicative of the vulnerability CVE-2025-66467, where deleted bucket owners can reuse old credentials to access newly created buckets with the same name, bypassing intended access controls.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2025-66467/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/buckets/'
      cs-uri-query|contains:
          - 'accessKey='
      cs-uri-query|contains:
          - 'secretKey='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2025-66467 Auth Bypass Missing MinIO policy cleanup on bucket deletion in Apache CloudStack
CVE-2025-66467 Privilege Escalation Unauthorized read and write access to re-created buckets via retained MinIO access/secret keys
CVE-2025-66467 Misconfiguration Apache CloudStack versions < 4.20.3.0 and < 4.22.0.1

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma