An authorization bypass in the Apache CloudStack Proxmox extension allows non-privileged tenants to gain full control over virtual machines belonging to other accounts.

The extension fails to restrict or validate the proxmox_vmid instance setting against tenant ownership. An authenticated tenant can predict or modify this value to associate their CloudStack instance with a victim's Proxmox VM, bypassing multi-tenancy isolation.

This flaw effectively breaks the isolation between tenants, allowing a malicious user to destroy, stop, or control another organization's infrastructure. The 9.1 CVSS score highlights the severe risk to data integrity and service availability in multi-tenant cloud environments.

Immediate Action: Upgrade Apache CloudStack to version 4.22.0.1 to resolve the authorization logic error.

Proactive Monitoring: Review audit logs for unexpected modifications to the proxmox_vmid parameter or unauthorized attempts to manage virtual machines.

Compensating Controls: As a temporary mitigation, update the global configuration parameter user.vm.denied.details to prevent users from editing the proxmox_vmid detail.

Public Exploit Available: false

The vulnerability poses a critical threat to multi-tenant environments. It is imperative that administrators immediately apply the provided workaround or upgrade to version 4.22.0.1 to maintain security boundaries and prevent unauthorized cross-tenant access.